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FOREWORD 


There  is  a  relentless  struggle  taking  place  in  the  cy¬ 
bersphere  as  government  and  business  spend  billions 
attempting  to  secure  sophisticated  network  and  com¬ 
puter  systems.  Cyber  attackers  are  able  to  introduce 
new  viruses,  worms,  and  bots  capable  of  defeating 
many  of  our  efforts.  The  U.S.  Government  has  set  a 
goal  of  modernizing  the  nation's  energy  grid.  A  cy¬ 
ber  attack  on  our  energy  grid  could  cut  off  service  to 
large  areas  of  the  country.  Government,  business,  and 
academia  must  therefore  work  together  to  understand 
the  threat  and  develop  various  modes  of  fighting  cy¬ 
ber  attacks,  and  to  establish  and  enhance  a  framework 
for  deep  analysis  for  this  multidimensional  issue. 

The  cyber  infrastructure  protection  conference  for 
academic  year  2010-11  focused  on  the  strategic  and 
policy  directions,  and  how  these  policy  directions 
should  cope  with  the  fast-paced  technological  evolu¬ 
tion.  Topics  addressed  by  the  conference  attempted 
to  answer  some  of  these  questions:  How  serious  is 
the  cyber  threat?  What  technical  and  policy-based 
approaches  are  best  suited  to  securing  Telecommu¬ 
nications  Networks  and  Information  Systems  Infra¬ 
structure  security?  What  role  will  government  and  the 
private  sector  play  in  homeland  defense  against  cyber 
attack  on  critical  civilian  infrastructure,  financial  and 
logistical  systems?  What  legal  impediments  exist  on 
efforts  to  defend  the  nation  against  cyber  attacks,  es¬ 
pecially  in  the  realm  of  preventive,  preemptive,  and 
retaliatory  actions? 

Our  offerings  here  are  the  result  of  a  2-day  collo¬ 
quium  titled  Cyber  Security  Infrastructure  Protection, 
conducted  on  June  8-9,  2011,  by  the  Center  of  Infor¬ 
mation  Networking  and  Telecommunications  (CINT) 
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at  the  Grove  School  of  Engineering,  the  Colin  Powell 
Center  for  Public  Policy  — both  at  the  City  University 
of  New  York,  City  College  (CCNY)  —  and  the  Strategic 
Studies  Institute  at  the  U.S.  Army  War  College.  The 
colloquium  brought  together  government,  business, 
and  academic  leaders  to  assess  the  vulnerability  of 
our  cyber  infrastructure  and  provide  strategic  policy 
directions  for  the  protection  of  such  infrastructure. 

Given  the  complexities  of  national  security  in  the 
21st  century  and  the  fast-changing  nature  of  the  cyber 
domain,  the  Strategic  Studies  Institute  proudly  pres¬ 
ents  the  results  of  this  very  relevant  colloquium.  We 
are  sure  it  will  be  an  essential  read  for  both  the  practi¬ 
tioner  and  academic  alike  to  gain  a  better  understand¬ 
ing  of  cyber  security. 


DOUGLAS  C.  LOVELACE,  JR. 
Director 

Strategic  Studies  Institute  and 
U.S.  Army  War  College  Press 
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PREFACE 


This  book  is  a  follow-on  to  our  earlier  book  pub¬ 
lished  in  2011  and  represents  a  detailed  look  at  various 
aspects  of  cyber  security.  The  chapters  in  this  book  are 
the  result  of  invited  presentations  in  a  2-day  confer¬ 
ence  on  cyber  security  held  at  the  City  University  of 
New  York,  City  College,  June  8-9,  2011. 

Our  increased  reliance  on  the  Internet,  informa¬ 
tion,  and  networked  systems  has  also  raised  the  risks 
of  cyber  attacks  that  could  harm  our  nation's  cyber  in¬ 
frastructure.  The  cyber  infrastructure  encompasses  a 
number  of  sectors  including  the  nation's  mass  transit 
and  other  transportation  systems,  railroads,  airlines, 
the  banking  and  financial  systems,  factories,  energy 
systems  and  the  electric  power  grid,  and  telecommu¬ 
nications,  which  increasingly  rely  on  a  complex  ar¬ 
ray  of  computer  networks.  Many  of  these  infrastruc¬ 
tures'  networks  also  connect  to  the  public  Internet. 
Unfortunately,  many  information  systems,  computer 
systems,  and  networks  were  not  built  and  designed 
with  security  in  mind.  As  a  consequence,  our  cyber 
infrastructure  contains  many  holes,  risks,  and  vulner¬ 
abilities  that  potentially  may  enable  an  attacker  to 
cause  damage  or  disrupt  the  operations  of  this  cyber 
infrastructure.  Threats  to  the  safety  and  security  of 
the  cyber  infrastructure  come  from  many  directions: 
hackers,  terrorists,  criminal  groups,  and  sophisticat¬ 
ed  organized  crime  groups;  even  nation-states  and 
foreign  intelligence  services  conduct  cyber  warfare. 
Costs  to  the  economy  from  these  threats  are  huge  and 
increasing.  Cyber  infrastructure  protection  refers  to 
the  defense  against  attacks  on  such  infrastructure  and 
is  a  major  concern  of  both  the  government  and  the 
private  sector. 
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A  key  contribution  of  this  book  is  that  it  provides 
an  integrated  framework  and  a  comprehensive  view 
of  the  various  forms  of  cyber  infrastructure  protec¬ 
tion.  We,  the  editors,  strongly  recommend  this  book 
for  policymakers  and  researchers. 


CHAPTER  1 


INTRODUCTION 

Tarek  Saadawi 
Louis  H.  Jordan,  Jr. 

Vincent  Boudreau 

In  recent  years,  the  analysis  of  cyber  security  has 
moved  into  what  one  might  call  a  series  of  second-gen¬ 
eration  conversations.  The  first  generation,  dominated 
by  engineers  and  computer  programmers,  regarded 
the  issue  as  primarily  a  technical  matter,  and  sought 
responses  from  cyber  threats  mainly  in  the  develop¬ 
ment  of  protective  software  and  hardware  design.  In 
its  early  phases,  cyber  threats  were  primarily  regard¬ 
ed  as  politically  neutral,  and  without  a  great  deal  of 
economic  motivation.  Hence,  how  these  threats  were 
generated,  and  what  social  or  political  actors  or  sys¬ 
tems  directed  these  attacks,  mattered  little.  Up-to-date 
anti-virus  software  and  other  protective  technology 
were  judged  sufficient  to  protect  both  personal  and 
public  cyber  assets  against  attack. 

Several  things  have  changed  since  those  early  con¬ 
versations.  First,  and  most  obviously,  technology  has 
grown  more  complex  and  more  networked.  As  our 
society  demanded  more  interactive  cyber  systems, 
the  danger  of  contamination  across  these  systems  has 
grown.  Second,  cyber  attacks  have  become  less  eco¬ 
nomically  or  politically  neutral  than  in  previous  gen¬ 
erations.  Evidence  is  mounting  that  both  governments 
and  insurgent  groups  are  using  cyber  platforms  as  a 
way  of  mounting  attacks.  Threats  to  cyber  security 
from  economically  motivated  groups,  and  especially, 
increasingly  well-organized  criminal  syndicates,  are 
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more  advanced.  Third,  innovations  in  cyber  technol¬ 
ogy  each  year  make  increasingly  sophisticated  cyber 
weapons  more  widespread.  Moreover,  as  the  market 
in  malware  evolves,  the  technology  can  be  rented, 
making  the  threat  more  and  more  affordable.  Finally, 
trends  in  technology  development  suggest  that,  gen¬ 
erally,  efforts  to  defend  against  cyber  attacks  will  al¬ 
ways  be  more  expensive  than  efforts  to  develop  new 
forms  of  attack.  Over  time,  therefore,  the  possibility 
of  developing  purely  technical  solutions  to  the  threats 
against  cyber  security  seems  dauntingly  uneconomi¬ 
cal,  even  if  entirely  technologically  feasible. 

There  is  a  relentless  struggle  taking  place  in  the  cy¬ 
ber  sphere  as  government  and  business  spend  billions 
attempting  to  secure  sophisticated  network  and  com¬ 
puter  systems.  Cyber  attackers  are  able  to  introduce 
new  viruses  and  worms  capable  of  defeating  many  of 
our  efforts.  The  military  depends  more  on  technologi¬ 
cal  solutions  than  ever  before.  A  cyber  attack  on  mili¬ 
tary  operations  could  be  more  devastating  than  the 
effects  of  traditional  weaponry.  Additionally,  these 
attacks  will  come  from  an  unseen  adversary  who  will 
likely  be  unreachable  for  a  counterattack  or  counter¬ 
measure.  In  this  "Fifth"  generation  of  warfare,  the 
battlefield  is  everywhere,  and  everyone  potentially 
becomes  a  combatant,  which  causes  grave  new  ques¬ 
tions  in  the  areas  of  the  law  of  war  as  well  as  national 
sovereignty.  The  U.S.  military  must  work  closer  than 
ever  before  with  the  various  agencies  of  government, 
business,  and  academia  to  understand  the  threat  and 
develop  various  modes  of  fighting  cyber  attacks. 

Where,  then,  has  the  discussion  of  cyber  security 
turned?  Some  answers  lie  in  reversing  trends  toward 
greater  integration  and  increasing  technological  so¬ 
phistication.  As  cyber  threats  diffuse  across  increas- 
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ingly  connected  networks,  some  have  sought  to  coun¬ 
ter  them  by  developing  lower-technology  systems 
unintegrated  with  the  larger  cyber  infrastructure, 
simply  by  having  their  own  isolated  cyber  islands 
disconnected  from  the  larger  cyber  systems.  Others 
continue  — as  they  must  — to  fight  the  war  on  a  tech¬ 
nological  front,  developing  faster  and  more  sophisti¬ 
cated  ways  of  countering  cyber  threats.  But  for  many, 
the  evolution  of  cyber  security  requires  a  new  and 
deeper  understanding  of  the  social,  economic,  and 
political  dynamics  that  animate  cyber  terrorism  and 
cybercrime.  As  with  conventional  security  analysis,  or 
efforts  to  decrease  or  frustrate  criminal  behavior  more 
generally,  we  have  begun  to  consider  how  the  social 
forces  that  motivate  and  govern  the  generation  of 
cyber  threats  can  influence  cyber  security.  By  under¬ 
standing  how  the  market  in  criminal  malware  oper¬ 
ates,  or  figuring  out  the  dynamics  that  hold  organized 
crime  together,  cyber  security  specialists  can  more  ef¬ 
fectively  develop  methods  of  staving  off  those  threats. 
While  the  last  several  decades  have  perhaps  encour¬ 
aged  us  to  think  of  cyber  threats  as  programs,  viruses, 
worms,  spyware,  and  botnets,  current  conversation 
recalls  that  people  —  connected  to  one  another  in  orga¬ 
nizations  or  through  networks,  motivated  by  political 
or  criminal  concerns,  living  in  societies  and  subject  to 
laws  — deploy  these  threats. 

The  tools  of  foreign  policy,  conventional  security 
studies,  criminology,  sociology,  and  economic  theory 
are  all  relevant  to  the  analysis  of  these  threats.  Deter¬ 
rence  theory,  for  example,  focuses  on  how  to  prevent 
people  with  capacity  from  acting  to  inflict  harm.  Game 
theory  explores  how  different  political  objectives  and 
modes  of  interaction  — reassurance,  recognition,  secu¬ 
rity,  and  prestige  —  influence  exchanges  of  threat  or 
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attack.  But  if  useful,  these  analytic  tools  need  now  to 
navigate  an  entirely  new  landscape.  How,  for  instance, 
can  one  deter  an  entity  that  thrives  on  the  secrecy  of 
an  Internet  identity?  Are  there  ways  of  deterring  cyber 
warriors  who  thrive  on  the  prestige  of  making  a  bold 
cyber  strike?  Can  we  translate  strategies  designed 
to  influence  the  behavior  of  nation-states  (who  must 
balance  a  range  of  goals  that  include  their  power,  the 
stability  of  their  regimes,  and  the  well-being  of  their 
populations)  to  use  against  smaller  networks,  with 
neither  citizens  nor  legal  standing  to  worry  about?  In 
important  and  obvious  ways,  we  cannot  simply  turn  to 
the  established  works  of  social  scientists  for  answers. 

The  problem,  of  course,  is  compounded  by  the 
technological  side  of  things,  and  the  fact  that  social 
scientists,  computer  scientists,  engineers,  and  tech¬ 
nicians  have  an  uneven  track  record  of  working  to¬ 
gether  to  solve  these  problems  (though  in  the  current 
environment,  work  together  they  must).  Does  current 
technology  allow  us  to  deter  a  cyber  attack  credibly? 
If  political  strategy  suggests  a  move  from  the  exist¬ 
ing,  more  defensive  posture,  to  one  that  favors  a  pro¬ 
active  attack  on  insurgent  or  criminal  organizations, 
what  might  such  a  weapon  look  like,  and  what  are  the 
broader  implications  of  using  offensive  cyber  weap¬ 
ons?  As  such  questions  illustrate,  the  solution  to  many 
of  today's  most  pressing  cyber  threats  (as  well  as  those 
we  can  imagine  emerging  in  the  near  and  distant  fu¬ 
ture)  rests  not  in  the  realm  of  the  social  sciences,  but 
in  efforts  to  integrate  lessons  derived  from  those  sci¬ 
ences  into  the  design  of  technological  work;  the  march 
of  cyber  technology  needs  to  merge  around  politically 
informed  strategies  for  the  deployment  of  that  tech¬ 
nology.  Hence,  while  cyber  security  once  functioned 
mainly  as  a  shield  to  deflect  attacks,  wherever  they 
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came  from  and  however  they  were  directed,  contem¬ 
porary  technological  design  must  figure  out  both  how 
to  protect  cyber  assets,  and  how  to  identify,  interdict, 
disrupt,  and  frustrate  the  organizations  that  mount  at¬ 
tacks  against  them. 

This  book  is  designed  as  a  way  of  entering  this 
conversation.  The  chapters  in  this  book  were  mainly 
presented  as  papers  at  the  Cyber  Infrastructure  Pro¬ 
tection  2011  conference  at  the  City  College  of  New 
York,  in  early-June  2011.  At  this  conference,  present¬ 
ers  were  asked  to  think  about  the  relationship  be¬ 
tween  the  technical  and  human  elements  of  the  threats 
to  cyber  security.  The  discussion  was  wide  ranging, 
including  experts  in  law,  criminal  behavior,  interna¬ 
tional  dynamics,  and,  of  course,  technical  elements 
of  cyber  security.  This  book  includes  many  of  those 
papers,  as  well  as  several  additional  contributions.  By 
presenting  this  work,  more  research  and  development 
of  strategy  toward  a  more  integrated  approach  to  cy¬ 
ber  security,  which  borrows  both  from  the  fields  of 
technology  and  engineering  and  from  broader  social 
scientific  approaches,  may  take  place. 

OUTLINE  OF  THE  BOOK 

The  book  is  divided  into  three  main  parts.  Part  I 
discusses  the  economic  and  social  aspects  of  cyber  se¬ 
curity,  covering  the  economics  of  malicious  software 
and  stolen  data  markets  as  well  as  the  emergence  of 
the  civilian  cyber  warrior.  Part  II  deals  with  laws  and 
cybercrime,  covering  social  and  justice  models  for  en¬ 
hanced  cyber  security,  and  provides  an  institutional 
and  developmental  analysis  of  the  data  breach  dis¬ 
closure  laws.  Part  II  also  provides  solutions  for  the 
critical  infrastructure  that  protect  civil  liberties  and 
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enhanced  security,  and  explores  the  utility  of  open 
source  data.  Part  III  presents  the  technical  aspects  of 
the  cyber  infrastructure  and  presents  monitoring  for 
Internet  service  provider  (ISP)  grade  threats  as  well  as 
the  challenges  associated  with  cyber  issues. 

ECONOMICS  AND  SOCIAL  ASPECTS 
OF  CYBER  SECURITY 

The  first  two  chapters  in  this  book  provide  a 
framework  for  the  economic  and  social  aspects  of  cy¬ 
ber  security.  In  Chapter  2,  Thomas  Holt  explains  how 
hackers  utilize  data  from  a  sample  of  active,  publicly 
accessible  web  forums  that  traffic  in  malware  and  per¬ 
sonal  information  to  consider  the  supply  and  demand 
for  various  types  of  malicious  software  and  related  cy¬ 
bercrime  services  which  have  a  prospective  economic 
impact  on  cybercrime  campaigns  against  civilian  and 
business  targets.  In  order  to  explore  and  expand  our 
understanding  of  the  economics  of  cybercrime  in  gen¬ 
eral,  this  chapter  utilizes  a  qualitative  analysis  of  a  se¬ 
ries  of  threads  from  publicly  accessible  Russian  web 
forums  that  facilitate  the  creation,  sale,  and  exchange 
of  malware  and  cybercrime  services.  The  findings  ex¬ 
plore  the  resources  available  within  this  marketplace 
and  the  costs  related  to  different  services  and  tools. 
Using  these  economic  data,  coupled  with  loss  metrics 
from  various  studies,  this  analysis  considers  the  pro¬ 
spective  economic  impact  of  cybercrime  campaigns 
against  civilian  and  business  targets.  The  findings 
provide  insights  into  the  market  dynamics  of  cyber¬ 
crime  and  the  utility  of  various  malware  and  attack 
services  in  the  hacker  community.  In  summary,  this 
chapter  explores  the  market  for  malicious  software 
and  cybercrime  services  in  order  to  understand  the 
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price  and  availability  of  resources,  as  well  as  the  re¬ 
lationship  between  the  price  paid  for  services  and  the 
cost  experienced  by  victims  of  these  crimes. 

In  Chapter  3,  Max  Kilger  focuses  on  the  civilian  cy¬ 
ber  warrior  — who  poses  perhaps  the  most  significant 
emerging  threat  to  domestic  and  foreign  critical  infra¬ 
structures.  Chapter  3  starts  by  providing  some  basic 
background  for  a  schema  that  outlines  six  motivation¬ 
al  factors  that  encourage  malicious  online  behaviors. 

The  key  concept  is  that  perhaps  for  the  first  time 
in  history,  an  everyday  ordinary  civilian  can  effec¬ 
tively  attack  a  nation-state  —  in  this  case,  through  a 
cyber  attack  on  some  component  of  that  nation-state's 
critical  infrastructure.  "Effectively"  here  means  that 
the  attack  can  cause  significant  widespread  damage 
and  has  a  reasonably  high  probability  of  success  and  a 
low  probability  of  the  perpetrator  being  apprehended. 
One  of  the  first  things  that  one  might  want  to  inves¬ 
tigate  in  the  chain  of  actions  for  a  terrorist  act  is  the 
initial  starting  point,  where  individuals  begin  think¬ 
ing  about  and  rehearsing  in  their  minds  the  nature, 
method,  and  target  for  the  terrorist  attack.  A  key  point 
for  historical  and  social  significance  of  the  emergence 
of  a  civilian  cyber  warrior  is  the  psychological  signifi¬ 
cance  of  the  event.  The  reassessment  of  the  usual  as¬ 
sumptions  of  the  inequalities  of  the  levels  of  power 
between  nation-states  and  citizens  establishes  new 
relationships  between  institutions  of  society,  govern¬ 
ment,  and  individuals. 

An  initial  examination  of  the  severity  of  physical 
attacks  and  cyber  attacks  that  respondents  feel  are  ap¬ 
propriate  to  launch  against  a  foreign  country  bring 
both  good  news  and  bad  news  to  the  table.  On  the 
one  hand,  the  vast  majority  of  respondents  select  only 
responses  that  have  minor  or  no  consequences  to  the 
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targeted  foreign  country.  On  the  other  hand,  there  are 
a  nontrivial  number  of  respondents  who  personally 
advocate  the  use  of  physical  and  cyber  attacks  against 
a  foreign  country  that  have  some  moderate  to  very 
serious  consequences.  While  there  is  some  comfort  in 
the  fact  that  expressing  intentions  to  commit  terrorist 
acts  is  only  the  first  link  in  the  behavioral  chain  from 
ideation  to  the  execution  of  an  attack,  and  bearing 
in  mind  that  this  is  a  scenario-based  situation,  even 
a  small  incidence  of  individuals  who  would  consider 
some  of  the  most  serious  acts  is  troubling.  This  sug¬ 
gests  that  the  emergence  of  the  civilian  cyber  warrior 
(and  perhaps  the  physical  attack  counterpart)  is  an 
event  to  take  into  account  when  developing  policies 
and  distributing  resources  across  national  priorities  to 
protect  national  critical  infrastructures.  Knowing  the 
enemy  can  be  a  key  element  in  gaining  a  comprehen¬ 
sive  perspective  on  attacks  against  online  targets. 

LAW  AND  CYBERCRIME 

Legal  and  cybercrime  are  explored  in  Part  II  of  this 
book.  In  Chapter  4,  Michael  M.  Losavio,  J.  Eagle  Shutt, 
and  Deborah  Wilson  Keeling  argue  that  to  change 
the  game  in  cyber  security,  we  should  consider  crimi¬ 
nal  justice  and  social  education  models  to  secure  the 
highly  distributed  elements  of  the  information  net¬ 
work,  extend  the  effective  administration  of  justice 
to  cybercrime,  and  embed  security  awareness  and 
competence  in  engineering  and  common  computer 
practice.  Safety  and  security  require  more  than  techni¬ 
cal  protections  and  police  response.  They  need  a  criti¬ 
cal  blend  of  these  elements  with  individual  practice 
and  social  norms.  Social  norms  matched  with  formal 
institutions  enhance  public  safety,  including  in  the 


8 


cyber  realm.  Informal  and  formal  modes  of  control¬ 
ling  and  limiting  deviant  behavior  are  essential  for 
effective  security. 

Chapter  4  suggests  that  routine  activity  theory,  op¬ 
portunity  theory,  and  displacement  theory  —  frame¬ 
works  for  analyzing  crime  in  communities  —  are  ways 
to  conceptualize  and  pattern  the  benefits  of  informal 
social  control  on  cyber  security.  Routing  Activity  The¬ 
ory  (RAT)  presents  that,  for  cyber  security,  the  analy¬ 
sis  should  equally  consider  the  availability  of  suitable 
targets,  a  presence  or  lack  of  suitable  guardians,  and 
an  increase  or  decrease  in  the  number  of  motivated 
offenders  —  particularly  those  seeking  financial  gain 
or  state  advantage.  Online  social  networks  them¬ 
selves  suggest  opportunities  for  the  examination  of 
RAT-based  security  promotion.  Facebook,  MySpace, 
and  Livejournal  are  online  social  networks  that  can 
promote  cyber  security  within  and  without  their  do¬ 
mains.  RAT  can  also  be  applied  to  criminal  activity 
involving  computing  systems.  Criminological  princi¬ 
ples  to  cyber  security  also  relate  to  the  use  of  criminal 
profiling  and  behavioral  analysis.  The  reactive  use  of 
these  techniques,  much  like  the  use  of  technical  digital 
forensics  in  network  settings,  serves  to  focus  an  inves¬ 
tigation  and  response  in  particular  areas  and  on  par¬ 
ticular  individuals.  The  proactive  use  of  profiling  can 
deter  or  prevent  crime,  such  as  drug  courier  profiling. 

In  Chapter  5,  Melissa  Dark  considers  the  state  data 
breach  disclosure  laws  recently  enacted  in  most  states 
of  the  United  States.  Three  reasons  make  the  state  data 
breach  disclosure  laws  of  interest:  (1)  the  rapid  policy 
growth;  (2)  the  first  instance  of  an  informational  regu¬ 
lation  for  information  security;  and,  (3)  the  importance 
of  these  laws  to  prevent  identity  theft  and  to  protect 
privacy.  Technological  advancements  are  changing 
the  information  security  and  privacy  landscape  con- 
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siderably.  Yet,  these  policies  are  blunt  instruments  not 
suited  to  careful  excision  of  these  ills.  Some  advocates 
of  modifying  existing  laws  assert  that  the  outcome  of 
data  breach  disclosure  should  be  to  motivate  large- 
scale  reporting  so  that  data  breaches  and  trends  can 
be  aggregated,  which  allows  a  more  purposeful  and 
defensive  use  of  incident  data. 

In  Chapter  6,  Joshua  Gruenspecht  identifies  some 
problems  of  identity  determination  that  raise  some  of 
the  most  complicated  unresolved  issues  in  cyber  secu¬ 
rity.  Industry  and  government  are  pursuing  a  number 
of  approaches  to  better  identify  communicants  in  or¬ 
der  to  secure  information  and  other  assets.  As  part  of 
this  process,  some  policymakers  have  suggested  that 
fundamental  changes  to  the  way  in  which  the  Inter¬ 
net  transmits  identity  information  may  be  necessary. 
Authentication  is  "the  process  of  establishing  an  un¬ 
derstood  level  of  confidence  that  an  identifier  refers 
to  a  particular  individual  or  identity."  Authentica¬ 
tion  often  involves  an  exchange  of  information  before 
some  other  transaction  in  order  to  ensure,  to  the  extent 
necessary  for  the  transaction  at  hand,  that  the  sender 
of  a  stream  of  traffic  is  who  he  or  she  claims  to  be  or 
otherwise  has  the  attributes  required  to  engage  in  the 
given  transaction.  Attribution  is  the  analysis  of  infor¬ 
mation  associated  with  a  transaction  or  series  of  trans¬ 
actions  to  try  to  determine  the  identity  of  a  sender  of 
a  stream  of  traffic.  Information  collection  and  analysis 
is  the  focus  of  attribution.  This  chapter  focuses  on  au¬ 
thentication  and  attribution;  two  other  issues  closely 
relate  to  identity  and  are  critical  elements  of  any  se¬ 
cure  system:  authorization  and  auditing.  This  chapter 
considers  these  problems  and  concludes  that  authen¬ 
tication-oriented  solutions  are  more  likely  to  provide 
significant  security  benefits  and  less  likely  to  produce 
undesirable  economic  and  civil  liberties  consequences. 
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In  Chapter  7,  George  W.  Burruss,  Thomas  J.  Holt, 
and  Adam  M.  Bossier  focus  on  the  value  of  open  re¬ 
porting  for  malware  creation  and  distribution.  The 
authors  consider  how  this  information  combines  with 
other  measures  to  explore  the  country-level  economic, 
technological,  and  social  forces  that  affect  the  likeli¬ 
hood  of  malware  creation.  The  chapter  proposes  that 
online  repositories  containing  data  on  malicious  soft¬ 
ware  can  be  valuable  to  study  the  macro-level  correla¬ 
tions  of  malware  creation.  The  data  for  the  dependent 
variable  used  for  this  study  (MALWARE)  came  from 
an  open  source  malware  repository  where  individ¬ 
uals  could  post  information  obtained  on  malicious 
software.  The  data  for  the  independent  variables  de¬ 
rive  from  the  CIA  World  FactBook  and  from  Freedom 
House,  a  nongovernmental  agency  that  collects  an¬ 
nual  data  on  political  freedom  around  the  globe.  The 
chapter  concludes  that  the  diverse  and  sophisticated 
threats  posed  by  hackers  and  malicious  software  writ¬ 
ers  require  significant  investigation  by  both  the  tech¬ 
nical  and  social  sciences  to  understand  the  various 
forces  that  affect  participation  in  these  activities.  The 
chapter  suggests  that  there  is  a  strong  need  for  greater 
qualitative  and  quantitative  examinations  of  hacker 
communities  around  the  world.  Research  on  hacker 
subcultures  in  the  United  States,  China,  and  Russia 
suggests  that  there  are  norms,  justifications,  and  be¬ 
liefs  that  drive  individual  action. 
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CYBER  INFRASTRUCTURE 


In  Chapter  8,  Abhrajit  Ghosh  presents  a  compre¬ 
hensive  view  of  network  security  from  several  years 
of  research  conducted  at  Telcordia;  in  particular,  the 
problem  of  monitoring  large-scale  networks  for  ma¬ 
licious  activity.  The  goal  of  the  developed  system  is 
to  detect  various  types  of  network  traffic  anomalies 
that  could  be  caused  by  Distributed  Denial  of  Service 
(DDoS),  spamming,  Internet  protocol  (IP)  address 
spoofing,  and  botnet  activities.  Currently,  three  types 
of  anomaly  detectors  are  provided  to  collect  data  and 
generate  alerts:  (a)  Volume  Anomaly  Detectors;  (b) 
Source  Anomaly  Detectors;  and,  (c)  Profile  Anomaly 
Detectors.  The  goal  of  the  source  anomaly  detectors 
is  to  identify  instances  of  source  IP  address  spoofing 
in  observed  flows.  Here  data  for  the  monitored  ISP  is 
acquired  via  NetFlow/sFlow  data  feeds  from  three 
flow  agents.  The  profile  anomaly  detectors  can  detect 
any  behavioral  anomalies  pertaining  to  hosts  within 
the  monitored  network. 

One  profile  anomaly  detector  that  is  currently 
part  of  the  system  can  identify  potential  spammers 
using  flow  data  and  spammer  blacklists.  The  Telcor¬ 
dia  system  incorporates  an  efficient  real-time  volume 
anomaly  detector  designed  to  give  early  warning  of 
observed  volume  anomalies.  The  volume  anomaly 
detector  operates  by  considering  a  near-term  moving 
window  of  flow  records  when  computing  traffic  trav¬ 
els  to  a  destination  address.  The  system  incorporates 
a  correlation  engine  that  correlates  alerts  generated  by 
the  different  types  of  anomaly  detectors.  A  significant 
issue  with  many  anomaly  detection-based  approaches 
is  their  potentially  high  false-positive  rate.  The  cor¬ 
relation  engine  component  is  designed  to  reduce  the 
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possibility  of  generating  false-positives.  Finally,  the 
use  of  an  alert  correlation  component  is  valuable  to 
a  network  operator  who  would  be  very  interested  in 
lowering  false-positive  rates. 

The  goal  of  Chapter  9,  written  by  Stuart  Starr,  is 
to  explore  the  state-of-the-art  in  our  ability  to  assess 
cyber  issues.  To  illuminate  this  issue,  the  author  pres¬ 
ents  a  manageable  subset  of  the  problem.  Using  that 
decomposition,  he  identifies  candidate  cyber  policy 
issues  that  warrant  further  analysis  and  identifies 
and  illustrates  candidate  Measures  of  Merit  (MoMs). 
Subsequently,  Starr  characterizes  some  of  the  more 
promising  existing  cyber  assessment  capabilities  that 
the  community  is  employing.  That  discussion  is  fol¬ 
lowed  by  an  identification  of  several  cyber  assessment 
capabilities  that  are  necessary  to  support  future  cyber 
policy  assessments.  The  chapter  concludes  with  a  brief 
identification  of  high  priority  cyber  assessment  efforts 
to  pursue. 
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PART  I: 

ECONOMICS  AND  SOCIAL  ASPECTS 
OF 

CYBER  SECURITY 
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CHAPTER  2 


EXPLORING  THE  ECONOMICS 

OF  THE  MALICIOUS  SOFTWARE  MARKET 

Thomas  J.  Holt 

This  research  was  sponsored  by  the  National  In¬ 
stitute  of  Justice,  Award  No.  2007-IJ-CX-0018  (August 
2007-November  2009).  The  points  of  view  within  this 
document  are  those  of  the  author  and  do  not  necessar¬ 
ily  represent  the  official  position  of  the  U.S.  Depart¬ 
ment  of  Justice. 

INTRODUCTION 

The  growth  and  function  of  malicious  software 
markets  have  caused  a  shift  in  the  way  that  hackers 
use  and  access  malware  with  varying  degrees  of  skill. 
Specifically,  web  forums  allow  individuals  to  pur¬ 
chase  access  to  sophisticated  malicious  software  to 
victimize  vulnerable  systems  and  individuals  and  to 
sell  the  data  they  illegally  obtain  for  a  profit.  Those 
with  limited  technical  capabilities  can  utilize  products 
sold  in  these  markets  to  engage  in  attacks,  while  in¬ 
dividuals  with  greater  skill  can  generate  a  profit  by 
providing  access  to  their  infrastructure  and  resources. 
While  researchers  are  constantly  exploring  these  mar¬ 
kets  to  identify  emerging  threats,  few  have  considered 
the  actual  economic  conditions  that  affect  the  market, 
including  the  costs  and  benefits  for  offenders,  and  the 
losses  incurred  by  affected  victim  computers.  This 
qualitative  study  utilizes  data  from  a  sample  of  active 
publicly  accessible  web  forums  that  traffic  in  malware 
and  personal  information  to  determine:  the  supply 
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and  demand  for  various  types  of  malicious  software 
and  related  cybercrime  services;  the  offenders'  costs 
associated  with  multiple  forms  of  attacks;  and  the  pro¬ 
spective  economic  impact  of  cybercrime  campaigns 
against  civilian  and  business  targets.  The  findings  will 
benefit  computer  security  practitioners,  law  enforce¬ 
ment,  and  the  intelligence  community  by  exploring 
the  market  dynamics  and  scope  of  the  underground 
economy  for  cybercrime. 

OVERVIEW 

As  technology  increasingly  permeates  all  facets 
of  modern  life,  the  risks  posed  by  cyber  attacks  have 
increased  dramatically.1  Hackers  target  all  manner  of 
systems  around  the  world  in  order  to  steal  informa¬ 
tion,  compromise  sensitive  networks,  and  establish 
launch  points  for  future  attacks.2  In  fact,  evidence 
suggests  that  the  number  of  computer  security  inci¬ 
dents  has  increased  as  more  countries  connect  to  the 
Internet.3  Many  of  these  attacks  stem  from  computer 
hackers  living  in  China,  Russia,  and  Eastern  Europe.4 
A  sizeable  proportion  of  these  actors  utilize  malicious 
software,  or  malware,  to  automate  various  aspects  of 
an  attack.5 

Malicious  software,  including  viruses,  Trojan  horse 
programs,  and  various  other  tools,  simplify  or  auto¬ 
mate  portions  of  a  compromise,  making  it  possible  to 
engage  in  more  sophisticated  or  complex  intrusions 
beyond  the  true  skills  of  the  attacker.6  In  addition, 
the  emergence  of  botnet  malware,  which  combines 
multiple  aspects  of  existing  malware  into  a  single  pro¬ 
gram,  enables  hackers  to  establish  stable  networks  of 
infected  computers  around  the  world.7  These  botnets 
can  engage  in  attacks  ranging  from  the  distribution 
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of  spam,  denial  of  service  attacks,  and  network  scan¬ 
ning.  The  growth  of  botnet  malware  in  the  computer 
underground  has  revolutionized  malware,  leading 
individuals  to  lease  out  their  infrastructure  to  the 
larger  population  of  semi-skilled  hackers  to  engage 
in  attacks.8 

The  evolution  of  malware  has  led  to  the  formation 
of  an  online  marketplace  for  the  sale  and  distribution 
of  malicious  software,  stolen  data,  and  hacking  tools.9 
These  markets  largely  operate  in  forums  and  Internet 
Relay  Chat  (IRC)  channels  in  Russia  and  Eastern  Eu¬ 
rope  and  enable  hackers  to  buy  or  sell  various  tools 
and  services  to  facilitate  attacks  against  all  manner  of 
targets.  Few  studies  have,  however,  considered  the 
impact  of  these  markets  on  the  economics  of  cyber¬ 
crime  for  both  victims  and  offenders.  For  instance,  the 
ability  to  purchase  sophisticated  malware  may  reduce 
the  time  an  individual  must  invest  in  an  attack,  and 
diminish  the  requisite  knowledge  needed  to  hack.10  In 
addition,  limited  research  has  considered  the  supply 
and  demand  for  different  services  within  the  malware 
market,  calling  into  question  the  perceived  value  of 
certain  tools  and  attacks  relative  to  other  offenses.  Fi¬ 
nally,  the  lack  of  concrete  loss  metrics  on  the  impact  of 
cybercrime  in  both  the  public  and  private  sector  make 
it  difficult  to  understand  the  profits  a  cybercriminal 
may  acquire. 

In  order  to  explore  these  issues  and  expand  our 
understanding  of  the  economics  of  cybercrime  in  gen¬ 
eral,  this  chapter  utilizes  a  qualitative  analysis  of  a  se¬ 
ries  of  threads  from  publicly  accessible  Russian  web 
forums  that  facilitate  the  creation,  sale,  and  exchange 
of  malware  and  cybercrime  services.  The  findings  ex¬ 
plore  the  resources  available  within  this  marketplace 
and  the  costs  related  to  different  services  and  tools. 


19 


Using  this  economic  data  coupled  with  loss  metrics 
from  various  studies,  this  analysis  considers  the  pro¬ 
spective  economic  impact  of  cybercrime  campaigns 
against  civilian  and  business  targets.  The  findings 
provide  insights  into  the  market  dynamics  of  cyber¬ 
crime  and  the  utility  of  various  malware  and  attack 
services  in  the  hacker  community. 

HACKING,  MALWARE  MARKETS,  AND  THE 
ECONOMIC  IMPACT  OF  CYBERCRIME 

In  order  to  examine  malicious  software  markets, 
it  is  critical  to  first  understand  the  general  dynamics 
of  the  hacker  community,  whose  members  create  and 
utilize  malware.  Hackers  operate  within  a  subculture 
that  values  profound  and  deep  connections  to  technol¬ 
ogy.11  This  subculture  is  also  a  meritocracy,  in  which 
participants  judge  one  another  based  on  their  capacity 
to  utilize  computer  hardware  and  software  in  innova¬ 
tive  ways.12  Those  who  can  devise  unique  tools  and 
identify  new  vulnerabilities  garner  respect  from  their 
peers  and  develop  a  reputation  for  skill  and  ability 
within  the  subculture. 

There  are,  however,  a  limited  number  of  individu¬ 
als  with  the  knowledge  or  skill  necessary  to  engage 
in  truly  sophisticated  hacks  and  attacks.13  A  larger 
proportion  of  the  hacker  community  has  some  de¬ 
monstrable  skill  and  can  understand  both  the  theory 
and  mechanics  behind  an  attack,  but  may  not  be  able 
to  create  all  the  tools  necessary  to  complete  an  at¬ 
tack  on  their  own.  Thus,  they  may  seek  out  resourc¬ 
es  from  those  with  greater  skill  in  order  to  improve 
their  capabilities.  Similarly,  a  portion  of  the  hacker 
community  simply  seeks  to  engage  in  attacks  or  ap¬ 
plications  of  hacking  without  developing  the  requisite 
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knowledge  necessary  to  complete  the  act.14  These  ac¬ 
tors  are  referred  to  as  "script  kiddies,"  because  they 
try  to  acquire  malicious  software  and  use  these  pro¬ 
grams  without  understanding  the  full  functionality  or 
processes  affected. 

The  variation  in  skill  and  ability  within  the  hacker 
community,  coupled  with  a  strong  desire  for  the  free 
flow  of  information,  led  hackers  to  trade  and  distrib¬ 
ute  tools  and  information  on  and  offline  regularly.15  In 
the  1980s  and  1990s,  individuals  would  often  barter 
for  new  resources,  whether  through  trading  stolen  in¬ 
formation  or  credentials,  bulletin  board  system  (BBS) 
access,  or  other  valuable  resources.16  The  creation  of 
electronic  payment  systems  and  changes  in  the  popu¬ 
larity  of  technology  and  information  sharing,  how¬ 
ever,  has  engendered  the  growth  of  online  markets 
where  hackers  can  sell  tools  and  data.17 

Examinations  of  these  marketplaces  indicate  that 
hackers  can  now  buy  and  sell  resources  to  facilitate 
attacks  or  information  acquired  after  a  compromise. 
Hackers  regularly  sell  credit  card  and  bank  accounts, 
pin  numbers,  and  supporting  customer  information 
obtained  from  victims  around  the  world  in  lots  of  tens 
or  hundreds  of  accounts.18  Individuals  also  offer  cash¬ 
out  services  to  obtain  funds  from  electronic  accounts 
or  automated  teller  machine  systems  (ATMs)  offline, 
as  well  as  checking  services,  to  validate  whether  an 
account  is  active,  as  well  as  any  available  balances. 
Spam-  and  phishing-related  services  are  also  available 
in  Internet  relay  chat  (IRC)  channels,  including  bulk 
email  lists  to  use  for  spamming  and  email  injection 
services  to  facilitate  responses  from  victims.19  Some 
sellers  also  offer  Distributed  Denial  of  Service  (DDoS) 
services  and  web  hosting  on  compromised  servers.20 
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These  studies  clearly  demonstrate  the  burgeoning 
marketplace  for  hacking  tools  and  stolen  data,  and 
some  insights  into  the  costs  of  goods  and  services.  Few, 
however,  have  considered  how  the  fee  structures  and 
pricing  for  malware  and  data  services  may  affect  of¬ 
fender  decisionmaking.  For  instance,  it  is  unclear  how 
much  an  individual  may  earn  from  a  spam,  denial  of 
service,  or  malware  infection  campaign  relative  to  his 
or  her  initial  investment.  This  is  due  to  the  substantial 
difficulty  in  obtaining  information  about  the  losses  to 
individual  and  corporate  victims  of  cybercrime.21  In¬ 
trusions  and  attacks  are  often  unreported  to  law  en¬ 
forcement,  particularly  in  corporate  settings,  because 
businesses  may  not  recognize,  or  may  cover  up,  the 
problem  to  minimize  customer  concerns.22  Similar  is¬ 
sues  arise  in  estimating  the  losses  individual  citizens 
experience  due  to  cybercrime.  Many  home  users  may 
not  recognize  that  their  computer  has  been  compro¬ 
mised  or  perceive  that  the  incident  may  not  be  investi¬ 
gated  or  taken  seriously  by  law  enforcement.23 

As  a  consequence,  there  are  few  official  statistics 
available  on  the  prevalence  of  cybercrimes  reported 
to  law  enforcement  agencies.24  For  instance,  this  infor¬ 
mation  is  not  provided  in  the  Federal  Bureau  of  Inves¬ 
tigation's  (FBI)  annual  Uniform  Crime  Reports,  and 
few  industrialized  nations  report  cybercrime  through 
a  central  government  outlet.25  There  are  also  a  limited 
number  of  outlets  that  report  the  economic  impact  of 
computer  intrusions  and  cyber  attacks.  This  is  due  to 
the  difficulty  in  accurately  estimating  the  costs  related 
to  clean  and  mitigate  an  infection  or  patch  all  affected 
systems.26  The  variation  in  the  impact  of  an  attack  also 
makes  it  difficult  to  determine  appropriate  loss  met¬ 
rics.  For  example,  it  is  unclear  whether  the  estimated 
financial  harm  of  a  DDoS  attack  is  based  on  the  pro- 
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spective  loss  of  revenue  from  prospective  customers 
or  losses  to  employee  productivity. 

As  a  consequence,  data  on  the  costs  of  cybercrime 
are  largely  generated  by  small  samples  of  corpora¬ 
tions  willing  to  provide  information  based  on  attacks 
within  their  environments.27  Similarly,  the  Internet 
Crime  Complaint  Center  is  one  of  the  few  outlets  that 
provides  consistent  statistics  on  the  economic  impact 
of  certain  forms  of  cybercrime  victimization  in  the 
general  population.28  The  reported  estimates  use  only 
self-reported  victimization  as  the  basis  for  examina¬ 
tion.  Thus,  it  is  unknown  how  common  these  offenses 
are  in  the  general  population  or  how  the  variation  in 
losses  affect  individual  behavior  while  online. 

In  light  of  the  significant  gap  in  our  knowledge  of 
the  economics  of  cybercrime  for  both  offenders  and 
victims,  this  chapter  will  explore  this  issue  using  a 
qualitative  analysis  of  909  threads  from  10  active  web 
forums  in  Russia  and  Eastern  Europe  that  are  involved 
in  the  creation,  sale,  and  distribution  of  malicious  soft¬ 
ware.  This  chapter  will  explore  the  products  and  ser¬ 
vices  available  in  the  market,  as  well  as  the  supply, 
demand,  and  price  for  these  resources.  In  turn,  this  in¬ 
formation  will  be  used  to  develop  estimates  for  profit 
margins  based  on  costs  and  loss  metrics  for  cybercrime 
campaigns  against  civilian  and  business  targets. 

Data  and  Methods. 

The  data  for  this  study  came  from  a  sample  of  10 
publicly  accessible  web  forums;  six  of  these  forums 
trade  in  hots  and  other  malicious  code,  while  four 
provide  information  on  programming,  malware,  and 
hacking.29  These  data  were  collected  as  part  of  a  larger 
project  examining  botnets  using  a  snowball  sampling 
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procedure  in  Fall  2007  and  Spring  2008. 30  Specifically, 
two  English  language  forums  were  identified  through 
google.com,  using  the  search  term  "bot  virus  carder  fo¬ 
rum  dump."  This  is  a  standard  technique  used  by  so¬ 
cial  scientists  to  collect  qualitative  data  online  to  obtain 
a  wide  sample  of  prospective  sites.31  After  exploring 
the  content  of  publicly  accessible  threads  from  these 
two  sites,  six  other  Russian  language  forums  were 
identified  via  web  links  provided  by  forum  users.  In 
fact,  most  participants  in  forums  involved  in  the  sale 
and  trade  of  malware  communicate  using  the  Russian 
language.32  Thus,  a  sample  of  threads  from  each  of 
these  forums  was  examined  by  a  native-speaking  Rus¬ 
sian  research  assistant  to  ensure  the  content  focused 
on  the  sale  and  exchange  of  malware.  Four  additional 
Russian  language  forums  were  identified  through 
links  provided  in  these  sites  to  create  this  sample  of 
ten  forums.  Six  of  these  forums  focus  exclusively  on 
either  open  sales  or  requests  for  malicious  software, 
hacking  tools,  cybercrime  services,  and  stolen  data. 
The  remaining  four  forums  provide  a  mix  of  sales,  in¬ 
formation  sharing,  and  resources  to  facilitate  hacking 
and  malware  creation.  The  names  of  each  forum  have 
been  removed  to  maintain  some  confidentiality  for  the 
participants  and  forum  operators. 

Within  these  10  forums,  all  of  the  available  publicly 
accessible  threads  were  downloaded  and  saved  as  web 
pages.  There  was  a  significant  volume  of  information 
obtained,  though  the  first  50  threads  from  each  forum 
were  translated  from  Russian  to  English  to  assemble  a 
convenient  sample  of  threads.  A  certified  professional 
translator  translated  the  first  50  threads  from  eight  of 
the  10  forums.  Additionally,  25  threads  from  Forum 
06  and  21  threads  from  Forum  05  were  translated.  Due 
to  limited  translator  availability  and  duplicate  transla- 
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tions  in  some  of  the  forums,  a  native  Russian  graduate 
student  translated  additional  content.33  This  student 
translated  an  additional  150  threads  from  Forums  03 
and  04,  and  an  additional  138  threads  from  Forum  05. 
These  three  forums  were  selected  for  further  analy¬ 
sis,  since  they  were  very  active  and  provided  greater 
detail  on  the  activities  and  practices  of  actors  within 
malware  markets.  Duplicate  threads  were  translated 
to  determine  translator  reliability,  which  appeared 
high  across  the  two  translators. 

A  total  of  909  threads  derived  from  this  conve¬ 
nient,  yet  purposeful  sample  of  10  forums.  The  threads 
consisted  of  4,049  posts,  which  provided  a  copious 
amount  of  data  to  analyze  (see  Table  2-1  for  forum  in¬ 
formation).  Moreover,  the  forums  had  a  range  of  user 
populations,  from  only  35  to  315  users.  These  threads 
span  a  4-year  period,  from  2003  to  2007,  though  the 
majority  of  threads  were  from  2007. 

The  translated  threads  were  then  printed  and  ana¬ 
lyzed  by  hand  to  consider  both  the  prevalence  and 
cost  of  products  and  services  bought  and  sold  in  these 
forums.  A  content  analysis  was  conducted  to  iden¬ 
tify  products,  resources,  and  materials  either  sold  or 
sought  out  in  these  markets.  Advertisement  content 
was  coded  based  on  the  details  provided.  A  post  was 
coded  as  a  sale  if  an  individual  stated  that  he  or  she 
was  "selling,"  "offering,"  or  otherwise  providing  a 
service.  Requests  for  products  were  coded  based  on 
the  language  used,  such  as  "need,"  "buying,"  or  "seek¬ 
ing."  Each  item  either  requested  or  sold  was  coded  in¬ 
dividually,  such  that  an  advertisement  selling  both  a 
piece  of  malware  and  a  spam  database  were  coded  as  a 
single  spam  database  and  malware.  Thus,  the  number 
of  advertisements  is  larger  than  the  overall  number  of 
threads  where  the  advertisements  appeared. 
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Forum 

Total 

Number  of 
Strings 

Total  Number 
of  Posts 

User 

Population 

Timeframe 

Covered 

01 

50 

183 

88 

6.00  months 

02 

50 

164 

50 

20.00  months 

03 

200 

1,203 

315 

10.75  months 

04 

200 

812 

273 

12.50  months 

05 

159 

369 

153 

6.75  months 

06 

50 

251 

82 

36.25  months 

07 

50 

379 

116 

29.50  months 

08 

50 

291 

95 

36.00  months 

09 

50 

172 

35 

10.50  months 

10 

50 

225 

95 

1.50  months 

Total 

909 

4,049 

1,302 

Table  2-1.  Descriptive  Data  on  Forums  Used. 


The  threads  were  also  analyzed  to  determine  the 
services  either  being  sold  or  requested.  Services  were 
coded  into  categories  based  on  the  content  of  the  ad. 
Specifically,  any  ad  that  provided  a  service,  such  as 
the  delivery  of  spam,  web  hosting,  and  hacking  was 
coded  as  "cybercrime  services."  Ads  related  to  mali¬ 
cious  software,  including  hots,  Trojan  horses,  and 
iFrame  tools,  were  coded  as  "malware."  Individuals 
buying  or  selling  credit  card  account  information,  re¬ 
cords  from  keystroke  logs  on  compromised  machines, 
or  other  resources  were  placed  into  the  category 
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"stolen  data."  The  tag  "ICQ  numbers"  were  used  for 
ads  selling  or  requesting  ICQ  numbers  for  their  per¬ 
sonal  use.  Any  advertisement  that  appeared  to  be  for 
legitimate  products  such  as  computer  hardware  or 
software,  video  game  resources,  legitimate  security  or 
programming  services,  or  other  products  were  placed 
under  the  tag  "Other  Services."  Information  on  stolen 
data,  ICQ  numbers,  and  other  services  are  excluded 
from  this  analysis,  since  they  comprise  only  36  per¬ 
cent  of  all  threads  observed,  and  are  ancillary  to  ma¬ 
licious  software  production  and  services  to  facilitate 
cybercrime.34  Thus,  removing  these  threads  enables 
this  analysis  to  focus  on  malicious  software  and  cy¬ 
bercrime  services  in  depth. 

In  order  to  examine  the  economics  of  cybercrime, 
simple  equations  and  statistics  will  use  data  generated 
from  two  well  known  and  highly  regarded  sources: 
the  Computer  Security  Institute's  (CSI)  Annual  Com¬ 
puter  Crime  and  Security  Survey  and  the  Internet  Crime 
Complaint  Center's  (IC3)  Annual  Internet  Crime  Report. 
The  CSI  report  is  developed  in  conjunction  with  the 
FBI  and  provides  one  of  the  few  available  resources 
for  statistics  on  the  economic  impact  of  cybercrime  in 
corporate  settings.  This  survey  is  distributed  to  5,000 
businesses  and  organizations  across  the  United  States 
via  physical  and  electronic  mail.35  Two  follow-up  so¬ 
licitations  are  made,  and  the  response  rate  is  usually 
between  5  and  10  percent  of  all  total  recipients.  As  a 
result,  the  figures  presented  are  most  likely  biased 
samples  that  may  not  accurately  reflect  the  true  costs 
of  various  attacks  across  businesses  and  institutions. 

A  similar  bias  is  evident  in  the  statistics  provided 
by  the  Internet  Crime  Complaint  Center.  The  agency  is 
a  joint  operation  of  the  FBI  and  National  White  Collar 
Crime  Center,  which  takes  reports  from  individuals 
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who  self-identify  as  victims  of  certain  types  of  online 
fraud.36  Individuals  must  report  any  incident  via  an 
online  form  hosted  on  the  IC3  website.  Anyone  who 
is  not  aware  of  this  resource  may  not  report  his  or  her 
experiences,  reducing  the  generalizability  of  the  data. 
Additionally,  since  victims  must  estimate  the  loss  they 
have  experienced,  the  reported  statistics  may  not  ac¬ 
curately  reflect  the  true  costs  of  victimization. 

Despite  the  validity  and  generalizability  of  the  sta¬ 
tistics  produced  by  these  agencies,  there  are  few  other 
consistently  reported  and  widely  cited  resources  on 
the  economic  harm  caused  by  cybercrime.  Thus,  the 
data  produced  by  these  agencies  preclude  strong  con¬ 
clusions  and  limit  the  generalizability  of  the  analysis. 
The  significant  lack  of  research  in  this  area,  however, 
demands  that  some  exploratory  investigation  be  con¬ 
ducted  to  provide  initial  estimates  for  both  corporate 
or  individual  losses  and  the  general  return  on  invest¬ 
ment  for  cybercrime.  The  statistics  presented  are  based 
on  the  2008  reports  provided  by  each  agency,  since 
they  reflect  all  reported  incidents  for  the  2007  calen¬ 
dar  year.  This  creates  a  consistent  data  point  between 
the  forum  content  and  the  economic  harm  reported 
by  victims  of  cybercrime.  Since  the  CSI  received  a 
very  low  response  rate  in  2008  and  did  not  publish 
all  economic  loss  estimates,  data  from  the  2007  CSI  re¬ 
port37  will  also  be  used  to  provide  cost  measures  for 
certain  offenses. 

Finally,  all  the  economic  data  estimated  in  this 
analysis  do  not  include  labor  costs.  It  is  unknown 
how  many  man-hours  may  be  required  to  complete  a 
successful  attack  due  to  variations  in  the  actors'  skill 
and  technical  expertise.38  Similarly,  the  time  spent  to 
generate  new  infections  or  maintain  an  existing  com¬ 
promise  may  differ  by  attacker,  based  on  the  sophisti- 
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cation  and  ease  with  which  they  can  manage  the  tools 
at  their  disposal.39  Certain  attacks  may  also  require  no 
investment  on  the  part  of  the  offender  when  paying 
for  a  service  like  a  DDoS  attack.  Thus,  time  and  labor 
costs  will  not  be  included  in  these  economic  estimates 
due  to  the  difficulty  in  computing  these  figures. 

FINDINGS 

Before  discussing  the  products  available,  it  is 
necessary  to  consider  the  structure  of  the  market  as 
a  whole.  These  forums  comprise  an  interconnected 
marketplace  composed  of  unique  threads  that  act  as 
an  advertising  space.  Individuals  created  threads  by 
posting  their  products  or  services  to  the  rest  of  the 
forum.  Alternatively,  posters  could  describe  in  detail 
what  they  wanted  in  buying  or  acquiring  on  the  open 
market.  Both  buyers  and  sellers  provided  as  thorough 
a  description  of  their  products  or  tools  as  possible,  in¬ 
cluding  contact  information,  pricing  information,  and 
payment  methods.  Actors  within  these  markets  com¬ 
municated  primarily  through  the  instant  messaging 
protocol  ICQ  or  email,  which  they  can  encrypt  to  pro¬ 
tect  both  participants  during  the  sales  process.  Some 
also  used  the  private  message  (PM)  feature  built  into 
each  forum.  PMs  ensure  quick  contact  and  act  as  an 
internal  messaging  system  for  each  site,  though  they 
may  not  be  as  secure. 

Prices  were  in  either  U.S.  dollars  or  Russian  rubles, 
along  with  the  desired  method  of  payment  through 
a  web-based  electronic  payment  system.  Most  partici¬ 
pants  used  WebMoney  [WM]  or  Yandex,  since  they 
enable  the  near-immediate  transmission  of  funds  be¬ 
tween  participants,  with  no  need  for  face-to-face  in¬ 
teractions.  In  addition,  four  of  the  forums  identified 
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offered  guarantor  payment  services,  in  which  indi¬ 
viduals  act  as  middlemen  to  hold  money  on  behalf  of 
a  buyer  until  the  seller  delivers  the  products  or  ser¬ 
vices  ordered.40  Guarantor  services  ensure  a  higher 
likelihood  of  successful  transactions,  because  both  the 
buyer  and  seller  are  aware  they  can  withdraw  that 
payment  depending  on  delivery  of  an  order.  Thus, 
access  to  a  guarantor  service  is  an  important  way  to 
ensure  that  transactions  are  successfully  completed  in 
a  timely  fashion. 

There  were,  however,  no  actual  public  transactions 
of  services  observed  in  these  forums.  Instead,  buyers 
and  sellers  gave  some  indication  of  how  the  process 
operated.  An  interested  individual  would  contact  the 
advertiser  via  ICQ  or  email  and  negotiate  the  cost  for 
services  rendered.  The  prospective  buyer  then  pays  for 
the  product  and  awaits  delivery  from  the  seller.  Many 
sellers  indicated  that  they  must  receive  payment  in 
advance  of  services  rendered.  This  process  introduces 
the  potential  for  buyers  to  lose  money  should  a  good 
or  service  fail  to  be  provided,  and  facilitates  buyers 
being  cheated  by  untrustworthy  operatives.  As  a  re¬ 
sult,  the  sales  process  appears  to  favor  sellers  rather 
than  buyers. 

Malware. 

The  most  common  resource  available  in  malicious 
software  markets  were  Trojan  horse  programs  (see 
Table  2-2  for  breakdown).41  There  were  78  ads  related 
to  Trojan  horse  programs,  comprising  31.7  percent  of 
all  malware  for  sale.  The  cost  of  these  programs  var¬ 
ied  significantly,  from  $2  to  $5,000,  depending  on  the 
quality  and  sophistication  of  the  resource.  A  variety 
of  Trojan  horses  were  sold,  ranging  from  well-known 
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resources  like  Pinch,  which  can  steal  information  from 
over  30  well-known  programs,  to  keylogging  Trojan 
horses  designed  to  steal  funds  from  WebMoney  ac¬ 
counts.  There  was  a  relative  balance  between  sale  ads 
(51.6  percent)  and  custom  request  ads  (49.4  percent) 
seeking  Trojan  horse  programs.  Thus,  there  is  still  a 
significant  demand  for  novel  or  unique  Trojan  horses 
with  special  qualities  that  may  not  otherwise  sell  on 
the  open  market. 

The  second  most  common  malware  were  iFrame 
tools  that  enable  the  distribution  and  infection  by 
unique  malicious  code  through  web  browsers  (30.5 
percent).  The  concept  and  design  of  iFrames  originate 
with  .html  programming  to  seamlessly  push  multiple 
.html  files  to  a  browser  in  a  single  page  of  content  with¬ 
out  the  need  for  user  interaction.42  Hackers  subverted 
this  design  function,  however,  to  surreptitiously  send 
malware  to  unsuspecting  users.  In  fact,  individuals 
sold  iFrame  "exploits"  and  "packs"  one  could  place 
on  a  server  to  infect  the  personal  computers  of  indi¬ 
viduals  who  visit  web  pages  hosted  there.  This  type  of 
attack  exponentially  increases  the  infection  vector  for 
malicious  software,  and  the  risk  of  identity  theft,  data 
loss,  and  computer  misuse.43  There  were  14  ads  (66 
percent)  selling  access  to  iFrame  scripts  and  infection 
packs,  indicating  there  is  a  healthy  supply  of  these 
tools  on  the  market.  The  proportion  of  requests  for 
these  resources  (34  percent)  also  suggests  there  is  still 
a  substantial  demand  for  iFrame  malware.  The  price 
for  these  products  ranged  from  $2  to  $450,  depending 
on  the  quality  and  sophistication  of  the  resource.  This 
is  somewhat  lower  than  the  prices  for  Trojan  hors¬ 
es,  potentially  because  of  the  unique  application  of 
iFrame  tools  and  the  knowledge  required  to  establish 
the  infrastructure  and  support  infections. 
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Resources 

Max. 

Number  of 
Average 

Percent  of 

Buy 

Percent  of 

Sell 

Percent  of 

Min 

Posts 

Total 

Posts 

Total 

Posts 

Total 

Price 

Price 

Price 

Bots 

16 

6.5 

8 

50 

8 

50 

30 

2,000 

322.27 

Bugs 

3 

1.2 

3 

100 

0 

0 

40 

40 

40.00 

Cryptors, 

Joiners,  and 
Polymorphic 
Engines 

47 

19.1 

13 

27.6 

34 

72.4 

0.20 

49 

13.03 

FTP  Resources 

27 

11.0 

15 

55.6 

12 

44.4 

20 

1,000 

271.66 

iFrames  and 
Traffic  Sales 

75 

30.5 

26 

34.7 

49 

65.3 

Tools 

21 

28.0 

7 

33.3 

14 

66.6 

2 

450 

79.25 

Traffic 

54 

72.0 

19 

35.2 

35 

64.8 

1 

500 

110.84 

Trojan  horses 

78 

31.7 

38 

48.7 

40 

51.3 

2 

5,000 

742.97 

Total 

246 

100 

103 

41.9 

143 

58.1 

Table  2-2.  Malware  and  Related  Services  Offered 
in  Hacker  Forums. 


In  addition,  72  percent  of  all  iFrame  ads  involved 
hackers  leasing  access  to  their  active  iFrame  infra¬ 
structure  on  compromised  servers  through  "traffic 
streams."  Selling  traffic  enabled  individuals  to  make 
a  profit  by  uploading  someone  else's  malware  to  the 
server  so  that  it  could  be  used  to  infect  individual  us¬ 
ers.  There  were  a  number  of  iFrame  traffic  sellers,  and 
their  ads  comprised  64.8  percent  of  the  traffic  market, 
suggesting  that  there  may  be  some  saturation  of  this 
resource  in  the  hacker  community.  Most  traffic  stream 
providers  based  their  pricing  on  1,000  infections,  with 
an  average  cost  of  $110.84  per  1,000  systems.  Sellers 
also  explained  that  they  could  acquire  infections  in 
specific  countries,  and  streams  in  the  United  States 
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tended  to  have  the  highest  price  overall.  Mixed  traffic 
from  various  countries  around  the  world  was  sold  at 
the  lowest  overall  price. 

The  third  most  prevalent  form  of  malware  sold 
were  programs  designed  to  either  conceal  or  encrypt 
malicious  code  so  it  could  be  sent  and  activated  un¬ 
detected  by  antivirus  programs.  These  tools  were 
largely  referred  to  as  cryptors,  and  comprised  19.1 
percent  of  the  total  programs  offered  in  the  malware 
market.  Most  individuals  sold  cryptors  (72.4  per¬ 
cent),  suggesting  that  these  tools  are  readily  available 
across  the  market.  The  average  price  for  a  cryptor 
was  $13.03,  which  is  substantially  lower  than  all  other 
forms  of  malware.  This  may  stem  from  the  utility  of 
cryptor  software,  since  it  is  not  necessary  to  facilitate 
an  attack.  Thus,  individuals  may  be  more  likely  to 
sell  these  programs  at  a  lower  price  in  order  to  attract 
prospective  customers. 

Hackers  also  offered  compromised  File  Transfer 
Protocol  (FTP)  servers,  which  hold  sensitive  informa¬ 
tion  including  web  page  content,  databases,  email  ac¬ 
counts,  and  other  data.  FTP  resources  comprised  11 
percent  of  the  overall  malware  market,  and  the  price 
depended  on  the  quality  and  quantity  of  data  offered. 
The  average  cost  of  FTP  resources  was  $271.66  per 
item,  and  there  was  a  substantial  demand  for  these 
services.  In  fact,  55  percent  of  the  ads  involved  re¬ 
quests  for  specific  servers  or  attacks.  Thus,  individu¬ 
als  could  seek  out  someone  to  complete  an  attack  on 
their  behalf  as  a  service,  rather  than  take  the  time  to 
complete  this  act  on  their  own. 

The  final  types  of  malware  offered  in  the  markets 
were  hots,  which  constitute  6.5  percent  of  all  malware 
bought  and  sold.  Eight  individuals  offered  either 
unique  executables  of  hot  programs  or  leased  their  ex- 
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isting  infrastructure  for  spam  distribution  or  as  an  at¬ 
tack  platform.  There  was  an  equal  demand  for  custom 
builds  of  bot  malware,  suggesting  there  was  a  strong 
demand  to  create  and  establish  individual  botnets. 
The  average  cost  of  bot  services  was  also  higher  than 
that  of  iFrame  resources  at  $322.27,  but  lower  than  the 
price  of  a  Trojan  horse.  The  generally  small  proportion 
of  ads  related  to  bot  malware  may  stem  from  the  size¬ 
able  proportion  of  botnet-driven  services  available  in 
the  market. 

Cybercrime  Services. 

A  diverse  range  of  products  enabling  individuals 
to  engage  in  a  variety  of  cybercrimes  was  also  available 
in  the  market,  including  Distributed  Denial  of  Service 
(DDoS)  attacks,  spam,  attacks,  and  hosting  malicious 
content  online  (Table  2-3).  The  primary  service  offered 
in  these  forums  related  to  the  distribution  of  spam 
(32.4  percent),  or  unwanted  messages  to  email  ac¬ 
counts,  ICQ  numbers,  and  mobile  phones.  The  largest 
subcategory  related  to  spam  involved  email  databases 
that  could  be  used  to  create  distribution  lists  for  spam 
delivery.  Database  sales  and  requests  comprised  46.5 
percent  of  the  overall  spam  threads.  Twenty-four  indi¬ 
viduals  across  five  of  the  sites  sold  databases  for  spam, 
with  variable  costs  based  on  the  number  of  emails  and 
the  country  location  for  each  address.  The  majority 
of  these  ads  involved  sales  of  existing  databases  (78.8 
percent),  suggesting  that  there  is  a  substantial  supply 
of  email  addresses  in  the  marketplace. 
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Resources 

Number 
Percent  of 
Posts  Total 

Percent  of 
Min.  Total 
Price 

Buy  Max. 
Posts 
Price 

Percent  of 
Average 
Total  Price 

Sell  post 

DDoS* 

29 

13.01 

0 

0.0 

29 

100.0 

0.41 

25 

14.26 

Hacking  Services  47.7 

30 

14.0 

16 

53.3 

14 

Compromise  45.5 

11 

36.7 

6 

54.5 

5 

Email/Passwords  47.4 

19 

63.3 

10 

52.6 

9 

Proxies  and  VPN  84.0 

25 

11.4 

4 

16.0 

21 

Proxy  80.0 

20 

80.0 

4 

20.0 

16 

VPN  100.0 

5 

20.0 

0 

0.0 

5 

Spam  Services  80.3 

71 

32.4 

14 

19.7 

57 

Databases 

33 

46.5 

7 

21.2 

26 

78.80.50 

100 

45.43 

Services 

23 

32.4 

3 

13.0 

20 

87.00.50 

700 

50.91 

Tools 

15 

21.1 

4 

26.7 

11 

73.32.00 

180 

59.11 

Web  Hosting  and  Services 
90.6 

64 

29.2 

6 

9.4 

58 

Domains  91.7 

24 

37.5 

2 

8.3 

22 

Hosting 

30 

46.9 

3 

10.0 

27 

90.00.853.00 

48.89 

Registration 

10 

15.6 

1 

10.0 

9 

90.09.00 

150 

50.17 

Total  82.2 

219 

100.0 

39 

17.8 

180 

*  Due  to  variation  in  pricing,  DDoS  estimates  are  based  on  the  stated  hourly  rate  or  an  average 
hourly  rate  based  on  prices  for  24-hour  attack. 

Table  2-3:  Cybercrime  Services  Offered  in  Hacker 

Forums.* 

#Due  to  significant  missing  data,  hacking  services,  domain  sales, 
and  VPN  service  pricing  are  not  included  here. 
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The  second  largest  subcategory  of  spam  involved 
ads  related  to  the  actual  distribution  of  spam  mes¬ 
sages.  The  majority  of  these  ads  were  sales-related  (87 
percent),  suggesting  that  there  was  significant  market 
saturation  for  this  service.  In  addition,  the  price  for 
spam  distribution  was  generally  low,  with  an  average 
of  $50.91.  Sellers  often  described  giving  substantial 
discounts  for  sizeable  deliveries,  with  the  final  cost 
for  spam  distribution  at  an  average  of  less  than  .0001 
cent  per  message.  Thus,  the  distribution  of  spam  is  a 
relatively  inexpensive  service  to  acquire.  Finally,  there 
were  18  threads  (21.1  percent)  pertaining  to  scripts 
and  mailing  programs  to  facilitate  the  distribution  of 
spam.  The  average  price  for  spam  tools  was  $59.11, 
which  was  the  most  expensive  average  price  in  this 
category.  The  proliferation  of  spam  resources  suggests 
that  this  is  now  a  service-driven  product  for  attackers, 
requiring  minimal  knowledge  of  computer  systems 
and  networks. 

Individuals  also  offered  services  to  support  a  vari¬ 
ety  of  malicious  web  content.  Hackers  need  resources 
to  host  malicious  content,  such  as  malware  or  cracked 
software;  thus,  web  hosting  and  domain  resources 
comprised  29.2  percent  of  the  threads  related  to  cyber¬ 
crime  services  in  these  markets.  There  were  30  threads 
related  to  web  hosting  made  by  22  different  user- 
names  in  five  forums.  Additionally,  there  were  only 
three  requests  (10  percent)  for  web  hosting  services, 
suggesting  there  is  a  substantial  supply  of  providers 
available.  Descriptions  of  the  hosting  services  varied, 
depending  on  the  amount  of  storage  needed  and  their 
desired  level  of  customer  support.  The  price  range  for 
service  was  variable,  ranging  from  50  cents  to  $300, 
with  an  average  of  $48.89.  Thus,  hosting  services  could 
be  obtained  for  a  generally  low  price,  depending  on 
individual  needs. 
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Sellers  also  indicated  what  content  they  would  not 
host  in  their  ads.  In  particular,  child  pornography  and 
bestiality-related  content  were  regularly  viewed  as  un¬ 
acceptable.  Hosting  this  sort  of  content  may  pose  too 
much  risk  for  a  provider,  since  many  countries  have 
legislation  and  law  enforcement  initiatives  to  combat 
child  pornography.44  By  contrast,  malware  was  often 
cited  as  acceptable  demonstrating  the  key  intersection 
between  malware  and  cybercrime  service  providers. 

There  were  also  nine  individuals  offering  domain 
name  registration  services  in  order  to  shield  actor  iden¬ 
tities  from  law  enforcement  and  domain  registration 
authorities.  Since  90  percent  of  these  ads  were  sales- 
related,  there  is  a  clear  supply  of  providers  within  the 
market.  In  addition,  seven  individuals  sold  web  do¬ 
mains  comprising  37.5  percent  of  these  services.  Thus, 
there  appears  to  be  a  solid  support  infrastructure  in 
place  to  aid  hackers  in  developing,  hosting,  and  main¬ 
taining  malicious  web  content. 

Hacking  services  comprised  14  percent  of  all  ser¬ 
vice-related  posts,  and  offered  two  primary  forms 
of  attack.  The  first  was  account-related,  including 
obtaining  passwords  from  email  accounts,  website 
log-in  screens,  and  forums  in  a  surreptitious  fashion. 
Eleven  ads  appeared  in  this  sample  of  threads,  sug¬ 
gesting  that  there  is  a  relatively  high  demand  (45.5 
percent)  for  assistance  with  hacking.  The  second  form 
involved  compromising  or  attacking  a  specific  target. 
There  were  19  requests  for  compromise  assistance 
with  a  similar  distribution  of  buyers  (52.6  percent) 
to  sellers  (47.4  percent).  Specifically,  10  individuals 
requested  assistance  in  obtaining  access  to  different 
systems,  ranging  from  hacking  FTP  servers  to  acquir¬ 
ing  spam  databases  from  specific  websites.  Nine  users 
also  advertised  hacking  services  to  order,  including 
attacking  Google  Page  Ranking  systems  or  acquir- 
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ing  passwords  for  email  accounts.  These  ads  did  not 
provide  any  substantive  information  on  pricing,  mak¬ 
ing  it  difficult  to  determine  price  metrics.  At  the  same 
time,  the  prevalence  of  requests  and  available  service 
providers  demonstrates  that  these  forums  engender 
individuals  to  engage  in  forms  of  cybercrime  that  may 
exceed  their  technical  capabilities. 

A  proportion  of  sellers  also  offered  DDoS  attack 
services  for  a  fee.  These  services  comprised  13  percent 
of  the  overall  posts  related  to  cybercrime  services  in 
these  forums  including  29  ads  across  four  of  the  fo¬ 
rums  (see  Table  2-3  for  detail).  Sellers  offered  to  flood 
a  web  server  with  requests,  rendering  them  unable  to 
complete  the  information  exchange  necessary  to  ful¬ 
fill  user  requests  for  content.45  As  a  result,  individuals 
are  unable  to  access  resources  hosted  on  the  server  for 
the  duration  of  the  attack.  DDoS  providers  regularly 
mentioned  that  their  services  were  supported  by  bot¬ 
nets,  as  in  an  ad  from  one  provider  who  noted  "Large 
quantity  of  BOTS  online,  quantity  grows  every  day. 
BOTs  are  located  in  different  time  belts  [zones],  which 
allows  the  DDoS  to  work  24  hours  a  day."  All  of  the 
ads  in  this  sample  were  sales-related,  indicating  that 
these  providers  have  completely  saturated  the  market 
and  are  readily  accessible  to  interested  parties.  The  av¬ 
erage  cost  for  DDoS  services  was  $14.26  per  hour,  in¬ 
dicating  that  this  service  is  also  relatively  inexpensive. 

The  final  service  identified  in  these  forums  offered 
access  to  proxy  services  and  Virtual  Private  Networks 
(VPN).  These  resources  conceal  an  individual's  IP  ad¬ 
dress  and  location,  reducing  the  likelihood  of  detec¬ 
tion  while  one  is  engaging  in  attacks  or  malicious  ac¬ 
tivity  online  by  routing  packet  traffic  from  the  user's 
system  through  IP  addresses  on  a  server.46  The  major¬ 
ity  of  ads  for  both  proxy  and  VPN  services  were  sales- 


38 


related  (84  percent),  suggesting  there  is  a  significant 
supply  of  these  services  within  the  malware  market. 
The  pricing  for  proxy  services  were  often  tiered  based 
on  the  total  number  of  proxies  purchased,  though  the 
average  cost  of  proxy  services  was  $42.52.  There  was, 
however,  too  much  missing  data  to  calculate  the  cost 
of  VPN  services.  Nevertheless,  these  findings  suggest 
that  tools  to  conceal  an  actor's  location  were  readily 
accessible  through  these  forums. 

Examining  the  Economics  of  Cybercrime. 

The  cost  metrics  derived  from  these  forums 
makes  it  possible  to  consider  the  economic  gains  in¬ 
dividuals  may  generate  from  the  use  of  malware  and 
cybercrime  services.  For  instance,  the  significant  num¬ 
ber  of  Trojan  horses  advertised  calls  into  question  the 
costs  and  benefits  of  obtaining  malware  for  attack  pur¬ 
poses.  Using  the  average  costs  for  tools,  it  is  possible 
that  an  attacker  may  spend  $755.80  to  acquire  a  Trojan 
horse  ($742.77)  and  encryption  software  ($13.03)  to  in¬ 
crease  the  likelihood  of  infection.  If  the  attacker  were 
to  attempt  to  target  victims  randomly  in  order  to  es¬ 
tablish  an  infection,  he  or  she  may  distribute  infected 
files  via  spam  email.47  If  a  proportion  of  unsuspecting 
recipients  open  the  file,  this  may  immediately  create  a 
series  of  infections  with  minimal  effort.  The  average 
cost  to  obtain  an  email  address  from  an  existing  data¬ 
base  or  send  a  message  is  .0001  cents.  Thus,  it  would 
cost  approximately  .0002  cents  to  obtain  and  send  a 
message  to  a  single  email  address  using  the  providers 
identified  in  these  forums.  At  this  rate,  an  individual 
would  spend  $20  to  send  out  100,000  spam  messages. 
Adding  this  figure  to  the  software  costs  increases  the 
overall  offender  investment  for  a  malware  campaign 
to  $775.80. 
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Comparing  this  figure  against  the  loss  to  business 
and  industry  indicates  that  there  is  a  significant  dif¬ 
ference  in  the  harm  that  a  hacker  can  cause.  The  CSI 
report  indicates  that  the  cost  of  remediating  a  virus 
or  worm  infection  is  $40,141  per  respondent.48  Thus, 
the  cost  to  a  victimized  business  can  be  up  to  53  times 
greater  than  the  initial  investment  made  by  the  offend¬ 
er.  Simple  destruction  or  infections  do  not,  however, 
generate  revenue  for  an  attacker.  Instead,  they  must 
obtain  sensitive  data  through  key-loggers  or  mass  in¬ 
trusions  into  database  information.  These  losses  can 
be  exponentially  worse,  as  the  average  cost  for  the 
theft  of  proprietary  data  was  $241,000  per  respondent, 
and  $268,000  for  stolen  customer  or  employee  data.49 
Thus,  the  profit  margin  for  malware  acquisition  can  be 
substantial,  depending  on  the  quality  and  quantity  of 
data  acquired. 

Examining  the  cost  of  botnet  establishment  and 
mitigation  reveals  a  similarly  high  profit  margin.  For 
example,  if  an  individual  pays  the  average  cost  of 
$322.27  to  acquire  botnet  software,  and  an  additional 
$200  to  send  out  a  million  spam  messages,  his  or  her 
total  investment  is  $522.27.  Within  corporate  environ¬ 
ments,  the  average  cost  to  mitigate  and  remove  a  bot¬ 
net  infection  was  $345,600  per  respondent.50  Using  this 
metric,  if  a  hot  herder  were  able  to  establish  10  nodes 
across  five  companies,  it  is  feasible  that  this  might 
cause  over  $1.7  million  dollars  in  damages.  In  addi¬ 
tion,  he  or  she  could  regain  the  initial  investment  costs 
by  leasing  their  hot  infrastructure  to  engage  in  a  single 
37-hour  DDoS  attack  if  he  or  she  charged  the  average 
rate  of  $14.26  per  hour.  Alternatively,  the  hot  herder 
would  need  to  send  out  at  least  5.2  million  spam  mes¬ 
sages  through  his  or  her  infrastructure  at  .0001  cents 
per  message  to  earn  back  the  investment. 
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A  similar  rate  of  return  can  be  found  with  iFrame 
campaigns.  If  an  offender  wanted  to  establish  his  or 
her  own  iFrame  service  over  a  6-month  period,  the  of¬ 
fender  may  have  to  acquire  three  resources.  First,  the 
offender  may  spend  up  to  $450  to  purchase  the  most 
expensive  iFrame  kit  available  in  the  market.  Second, 
if  the  offender  does  not  have  the  capacity  to  compro¬ 
mise  and  install  the  kit  on  a  server,  he  or  she  may 
identify  a  third-party  web-hosting  service  for  the  kit. 
In  this  scenario,  the  offender  would  pay  an  average 
of  $48.89  to  host  the  malware  each  month  for  a  total 
of  $293.34.  In  addition,  a  weekly  spam  campaign  may 
prove  useful  in  order  to  drive  prospective  victims  to 
the  website.  In  this  scenario,  the  individual  would 
have  to  spend  $4,800  to  send  out  one  million  spam 
messages  each  week  at  $200  over  a  24-week  period.  In 
total,  an  offender  using  each  of  these  services,  includ¬ 
ing  paying  the  maximum  for  an  iFrame  kit,  would 
spend  $5,543.34  over  a  6-month  period. 

If  the  attacker  is  successful  and  generating  traffic, 
he  or  she  may  choose  to  lease  out  the  infrastructure 
to  generate  a  profit.  Using  the  average  cost  metric  for 
traffic  sales  at  $110.84  per  1,000  infections,  the  offend¬ 
er  would  need  to  generate  consistent  traffic  and  infect 
at  least  50,000  systems  from  mixed  traffic  to  regain  his 
or  her  initial  investment.  It  is  unclear  from  the  posts 
and  comments  from  sellers  how  long  it  takes  to  gen¬ 
erate  such  traffic,  though  the  sheer  number  of  traffic 
resellers  suggests  that  it  is  possible  to  establish  and 
maintain  such  an  infrastructure  over  time.  Thus,  there 
appears  to  be  some  substantial  return  on  investment 
for  iFrame  operators  who  are  willing  to  make  opera¬ 
tional  expenditures  in  their  infrastructure  over  time. 

Since  malware  requires  time,  money,  and  some 
skill  to  use  properly,  some  offenders  may  opt  to  lease 
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services  from  providers  in  the  market.  For  instance, 
the  availability  of  DDoS  services  in  the  forum  sug¬ 
gests  that  individuals  may  be  interested  in  paying  for 
an  attack  rather  than  creating  and  maintaining  their 
own  botnet.  Since  the  average  cost  of  DDoS  services 
in  these  forums  was  $14.26  per  hour,  a  botmaster  may 
generate  an  estimated  $342.24  per  day  for  a  24-hour 
attack.  It  is  also  clear  that  lengthy  attacks  decrease 
productivity  and  increase  financial  harm  for  the  tar¬ 
get.  Thus,  an  offender  may  spend  $1,026.72  for  a  3-day 
attack  based  on  a  72-hour  rate  at  $14.26  per  hour.  This 
is  most  likely  an  overestimate,  as  DDoS  providers  of¬ 
fered  discounted  prices  based  on  the  length  of  an  at¬ 
tack.  Regardless,  victims  lost  an  average  of  $14,889.69 
from  DDoS  attacks  in  2006. 51  This  is  a  substantial 
impact  that  well  exceeds  the  initial  cost  paid  by 
the  offender. 

A  successful  DDoS  attack  does  not,  however,  gen¬ 
erate  any  observable  economic  gain  for  the  individual 
who  ordered  the  attack.  As  a  consequence,  it  is  neces¬ 
sary  to  consider  how  an  individual  may  use  a  DDoS 
provider  to  generate  a  substantial  profit.  To  that  end, 
a  number  of  hackers  blackmail  businesses  by  threat¬ 
ening  to  take  their  systems  offline  using  DDoS  at¬ 
tacks.  Prospective  targets  often  pay  ransoms  to  avoid 
a  loss  of  service  or  embarrassment  over  a  prospective 
attack.52  In  fact,  CSI  respondents  paid  an  average  of 
$824.74  to  avoid  or  stop  attacks  in  2006. 53  To  that  end, 
a  botmaster  or  his  or  her  prospective  client  could  read¬ 
ily  generate  a  profit  by  simply  threatening  to  attack  a 
company.  It  is  unclear  how  long  an  attack  would  need 
to  take  place  to  ensure  payment  of  a  ransom,  though 
if  an  offender  had  to  pay  for  a  24-  to  48-hour  attack, 
he  or  she  could  still  generate  a  profit  of  approximately 
$150  or  more  based  on  the  average  business  cost.  The 
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profit  margin  increases  substantially  if  an  attack  ends 
within  a  matter  of  hours.  Thus,  blackmail  may  be  an 
extremely  useful  way  to  utilize  DDoS  services. 

The  same  profit  margins  are  evident  in  the  use 
of  spam  providers.  Since  an  individual  attacker  may 
spend  approximately  .0002  cents  to  obtain  and  send 
a  message  to  a  single  email  address,  his  initial  invest¬ 
ment  is  quite  small.  The  likelihood  of  successful  re¬ 
sponses  is  equally  low,  since  there  are  myriad  security 
tools  designed  to  filter  or  block  spam  messages  from 
reaching  the  end  user.54  Depending  on  the  scheme 
employed,  however,  an  attacker  need  only  affect  a 
small  number  of  users  in  order  to  make  a  profit.  For 
instance,  advance  fee  fraud  ("419  scams")  is  one  of 
the  most  economically  rewarding  spam  schemes.55  In 
these  frauds,  the  sender  poses  as  a  banker,  barrister, 
or  wealthy  heiress  seeking  assistance  to  move  a  large 
sum  of  money  out  of  the  country.  The  senders  say  they 
need  the  assistance  of  a  trustworthy  foreigner  to  help 
them  complete  this  transaction  due  to  various  legal  or 
familial  issues.  All  that  the  victim  needs  to  do  is  pro¬ 
vide  his  or  her  name,  address,  and  banking  informa¬ 
tion,  and  in  return  that  person  can  retain  a  portion  of 
the  total  dollar  amount  described.56 

Though  it  is  unknown  how  many  individuals 
who  receive  these  messages  actually  respond  to  the 
fraudulent  solicitation,  estimates  state  that  between  1 
and  3  percent  of  all  recipients  are  victims.57  In  addi¬ 
tion,  data  from  the  Internet  Crime  Complaint  Center 
suggest  that  victims  lose  an  average  of  $1,922.99  when 
participating  in  the  scheme.58  With  this  in  mind,  if  an 
offender  spends  $200  to  send  out  one  million  advance 
fee  fraud  messages,  he  may  receive  an  overly  conser¬ 
vative  response  rate  of  .00005,  or  50  recipients.  Using 
the  IC3  average  dollar  loss  for  this  sort  of  scam,  a  cy- 
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bercriminal  could  earn  $96,149.50  from  these  50  re¬ 
spondents,  which  is  480  times  their  initial  investment. 
Though  these  scams  require  a  significant  degree  of 
human  interaction  with  the  victim  and  labor  in  order 
to  be  successful,  the  profit  margin  is  still  exceedingly 
high.  Thus,  spam  distribution  services  are  a  key  re¬ 
source  in  the  larger  marketplace  for  cybercrime,  and 
its  low  price  may  reflect  the  difficulty  in  effectively 
targeting  and  ensuring  a  high  rate  of  return  from 
an  investment. 

DISCUSSION  AND  CONCLUSIONS 

This  monograph  sought  to  explore  the  market  for 
malicious  software  and  cybercrime  services  in  order 
to  understand  the  price  and  availability  of  resources, 
as  well  as  the  relationship  between  the  price  paid  for 
services  and  the  cost  experienced  by  victims  of  these 
crimes.  The  findings  suggest  that  myriad  tools  and 
services  are  available  and  sold  for  profit  in  an  open 
market  environment  that  encourages  and  supports  cy¬ 
bercrime.59  Individuals  could  procure  spam,  DDoS  at¬ 
tack  services,  Trojan  horses,  iFrame  exploit  infections, 
web  hosting,  and  various  other  resources  at  relatively 
low  prices  from  the  forums  in  this  sample.  Several  of 
these  services  also  depend  on  botnets  for  functional¬ 
ity,  demonstrating  the  prominence  of  this  malware 
in  cybercrime. 

The  pricing  structure  and  observed  supply  and 
demand  for  different  resources  suggest  that  these 
markets  have  made  it  easier  for  individuals  to  engage 
in  computer  intrusions  and  attacks.  Participants  in 
these  forums  no  longer  need  to  cultivate  high  levels 
of  skill  and  technological  sophistication,  since  they 
could  readily  request  assistance  to  compromise  email 


44 


accounts  or  servers,  and  lease  existing  infrastructure 
created  by  more  skilled  actors.60  In  fact,  botmasters  ap¬ 
pear  to  recognize  the  value  of  their  infrastructure  and 
offer  services  enabled  by  their  infrastructure  to  gener¬ 
ate  a  profit.  In  turn,  the  marketplace  appears  to  oper¬ 
ate  largely  as  a  service  economy  in  which  individuals 
can  select  from  multiple  providers  based  on  price  and 
customer  service  in  order  to  complete  an  attack  that 
may  well  exceed  their  overall  level  of  knowledge. 

Examining  the  return  on  investment  for  engaging 
in  various  cybercrime  schemes  also  suggests  that  at¬ 
tackers  can  generate  a  substantial  profit  or  cause  dam¬ 
age  that  far  exceeds  their  initial  investment.  In  fact, 
some  of  the  least  expensive  products,  such  as  spam 
distribution,  may  provide  a  massive  gain  for  the  indi¬ 
vidual  attacker  and  a  slight  profit  for  the  service  pro¬ 
vider.  In  addition,  individuals  who  own  and  operate 
hot  and  iFrame  infrastructure  may  generate  a  substan¬ 
tial  profit  over  time  by  leasing  their  services.  Those 
who  lease  or  pay  fees  for  service  may,  however,  have 
a  reduced  risk  of  detection  from  law  enforcement 
because  they  do  not  actually  compromise  systems 
or  have  a  significant  relationship  to  the  affected  sys¬ 
tems.  In  addition,  their  profit  margins  may  be  slightly 
higher  due  to  minimal  labor  and  maintenance  costs. 
Their  limited  skill  set  may  diminish  their  overall  earn¬ 
ing  lifetime  capacity,  since  they  may  never  cultivate 
the  necessary  skills  to  create  and  complete  their  own 
intrusions  and  attacks. 

The  findings  of  this  exploratory  analysis  must  be 
interpreted  with  caution  due  to  the  inherent  limita¬ 
tions  of  the  data.  Specifically,  the  victimization  sta¬ 
tistics  used  in  this  analysis  have  extremely  limited 
generalizability  and  are  most  likely  biased  samples 
representing  small  proportions  of  the  total  population. 
In  addition,  the  CSI  reports  indicate  that  less  than  a 
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third  of  all  incidents  that  occur  are  reported  to  law  en¬ 
forcement.61  Thus,  there  is  a  critical  need  for  increased 
reporting  of  cybercrime  and  improved  measures  for 
corporate  and  individual  losses.  The  paucity  of  data  in 
this  area  makes  it  difficult  to  understand  or  estimate 
the  efficacy  of  cyber  attacks  and  the  overall  economic 
gains  made  by  offenders.  Increased  clarity  in  report¬ 
ing  is  vital  to  move  criminological  and  information  se¬ 
curity  research  beyond  speculation,  and  to  move  case 
studies  into  quantifiable  areas  of  loss  calculation.  In 
turn,  one  can  better  understand  the  economics  of  both 
attack  and  defense. 

Additionally,  the  data  used  for  the  forum  analyses 
derive  from  publicly  accessible  forums  that  are  over  3 
years  old.  The  content  of  the  data  may  be  radically  dif¬ 
ferent  from  the  resources  available  in  private  forums, 
which  require  registration  and  membership  vetting  in 
order  to  access  posts.62  In  addition,  the  rapid  changes 
in  technology  make  it  difficult  to  extrapolate  these 
findings  to  the  current  resources  that  may  be  avail¬ 
able  in  the  malware  marketplace.  Finally,  this  analy¬ 
sis  used  a  small  proportion  of  threads  from  multiple 
forums,  which  may  limit  the  amount  of  malware  and 
services  observed.  Thus,  there  is  a  need  for  greater  re¬ 
search  to  understand  the  practices  and  content  of  mal¬ 
ware  markets  over  time.  Longitudinal  research  can 
provide  insights  into  the  shifts  in  available  resources, 
and  identify  any  declines  or  spikes  in  the  price  for  a 
good  or  service.  Such  research  can  also  identify  new 
trends  in  malware  and  attack  vectors,  improving  the 
response  capabilities  of  law  enforcement  and  security 
professionals.  Future  research  should  also  develop 
comparative  samples  of  threads  from  open  and  closed 
forums  to  consider  variations  in  the  products  that  can 
be  acquired  by  those  with  greater  penetration  into 
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and  status  in  the  hacker  community.  In  turn,  this  can 
substantially  improve  our  understanding  of  the  skill 
and  ability  present  in  the  hacker  community  and  its 
operational  capabilities. 
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CHAPTER  3 


THE  EMERGENCE  OF  THE 
CIVILIAN  CYBER  WARRIOR 

Max  Kilger 

Note:  The  information  in  the  chapter  derives  from 
a  current  study  by  the  author  and  other  researchers. 

INTRODUCTION 

The  advantages  gained  from  making  a  concerted 
effort  to  develop  an  understanding  of  an  adversary 
are  difficult  to  overstate.  Whether  the  analysis  occurs 
through  a  psychological,  social-psychological,  anthro¬ 
pological,  or  strictly  sociological  perspective,  the  abil¬ 
ity  to  "know  your  enemy"  is  a  critical  component  of  a 
comprehensive  strategy  to  protect  assets  actively  and 
proactively  within  critical  infrastructures.  While  the 
deployment  of  defensive  technical  barriers,  such  as 
firewalls,  intrusion  detection  systems,  etc.,  are  neces¬ 
sary  actions  to  provide  sufficient  protection  for  digital 
networks  that  hold  sensitive  data  or  have  supervisory 
control  and  data  acquisition  (SCAD A)  functions,  the 
ability  to  develop  a  taxonomy  of  the  perpetrators'  mo¬ 
tivations  behind  the  vectors  within  the  cyber-threat 
matrix  can  assist  in  making  a  more  accurate  assess¬ 
ment  of  the  threat  each  type  of  actor  presents  to  spe¬ 
cific  elements  within  specific  infrastructures.  In  addi¬ 
tion,  developing  a  foundational  understanding  of  the 
motivations  of  malicious  online  actors  facilitates  the 
ability  to  construct  plausible  future  threat  scenarios 
that  may  emerge  in  the  near-  to  mid-term  timeline. 
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This  chapter  will  start  by  providing  some  basic 
background  for  a  schema  that  outlines  six  hypoth¬ 
esized  motivational  factors  to  encourage  malicious 
online  behaviors.  The  focus  of  the  discussion  will 
then  turn  to  one  specific  motivation  and  within  that 
motivation,  one  specific  archetype  —  the  civilian  cy¬ 
ber  warrior  — that  poses  perhaps  the  most  significant 
emerging  threat  to  domestic  and  foreign  critical  infra¬ 
structures.  Finally,  the  chapter  will  conclude  with  an 
analysis  of  some  preliminary  data  in  an  ongoing  study 
that  investigates  some  of  the  factors  that  may  relate  to 
this  specific  type  of  online  malicious  actor. 

THEORETICAL  BACKGROUND 

Over  the  years,  there  have  been  a  number  of  at¬ 
tempts  to  create  taxonomies  for  malicious  online  ac¬ 
tors.  Many  of  these  taxonomies  rely  partially  upon  the 
factor  of  skill  and  expertise  possessed  by  the  actor  in 
various  operating  system  platforms,  networking  pro¬ 
tocols,  digital  hardware  functionality,  programming 
languages  or  shell  scripting,  or  knowledge  of  specific 
system  security  strategies.  These  taxonomies  also  to 
some  extent  rely  upon  the  type  of  target  that  the  mali¬ 
cious  actor  specializes  in.  The  Chiesa  study  utilized 
a  combination  of  skill  and  target  type  as  well  as  mo¬ 
tivational  attributes  such  as  political  reasons,  escape 
from  family  situations,  and  conflict  with  authority 
as  taxonomy  criteria  for  classifying  malicious  online 
actors.1  The  Rogers  study  described  two  different  di¬ 
mensions  —  skill  level  and  motivation— to  build  a  mul¬ 
ticlass  taxonomy  of  hackers.  His  hacker  class  taxono¬ 
my  includes  classes  of  hackers  such  as  petty  thieves, 
old  guard  hackers,  professional  criminals  and,  more 
recently,  political  activists.2  In  Cyber  Adversary  Charac- 
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terization:  Auditing  the  Hacker  Mind,  Tom  Parker,  Eric 
Shaw,  Ed  Stroz,  Mathew  Devost,  and  Marcus  Sachs 
place  emphasis  not  only  on  the  properties  of  the  at¬ 
tacker,  but  their  model  also  examines  in  detail  other 
factors  such  as  the  perceived  probability  of  success  of 
attack,  perceived  probability  of  detection  and,  other 
attack-associated  metrics.3 

The  classification  schema  in  this  chapter  is  one 
developed  by  this  author,  Ofir  Arkman,  and  Jeff 
Stutzman.4  This  schema  —  labeled  MEECES5  — de¬ 
scribes  six  motivations  for  malicious  online  actors: 
Money,  Ego,  Entrance  to  social  group.  Cause,  Enter¬ 
tainment,  and  Status.  Money,  of  course,  is  the  most 
obvious  and  self-  explanatory  motivation.  The  signifi¬ 
cant  extent  to  which  financial  institutions  have  placed 
financial  resources,  such  as  checking,  savings,  credit 
lines,  credit  cards,  and  other  components  of  the  bank¬ 
ing  system  online,  has  put  tremendous  amounts  of 
financial  capital  at  potential  risk.  The  vast  potential 
for  wealth  that  has  been  exposed  to  the  Internet  has 
attracted  a  plethora  of  malicious  actors  from  a  number 
of  different  backgrounds.  In  addition  to  the  malicious 
actors  who  were  already  motivated  by  financial  gain, 
the  magnitude  of  the  financial  resources  available 
has  likely  also  tempted  other  skilled  individuals  who 
might  otherwise  not  have  been  spurred  to  action  by 
this  motivation. 

Further,  there  are  geo-economic  factors  at  work 
here  as  well.  Perhaps  for  the  first  time,  individuals 
in  countries  where  the  standard  of  living  is  lower  in 
comparison  to  first-world  industrialized  countries,  the 
potential  for  finding  gainful  employment  is  uncertain, 
and,  in  some  cases,  the  economic  climate  has  forced 
highly  educated  individuals  into  underemployment, 
the  allure  of  the  possibility  of  gaining  access  to  and 
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illegally  acquiring  significant  sums  of  money  is  great. 
This  has  also  led  to  the  migration  of  more  traditional 
organized  crime  members  into  the  cyber  environment. 
This  infusion  of  sometimes  technically  unsophisti¬ 
cated  criminals  into  cybercrime  has  also  changed  the 
dynamics  of  cybercrime  gangs. 

This  was  not  always  the  case.  During  the  early 
years  of  the  hacking  community,  individuals  who 
used  their  technical  skills  for  personal  monetary  gain 
were  shunned  by  the  rest  of  the  community.  It  was 
considered  a  violation  of  the  code  of  ethics  for  hack¬ 
ers  to  deploy  their  skills  to  steal  money  or  financial 
resources.  This  norm  violation  is  still  in  place  today 
in  the  hacking  community,  but  it  has  been  substan¬ 
tially  weakened  by  the  increasing  number  of  skilled 
individuals  who  utilize  their  expertise  for  unlawful  fi¬ 
nancial  gain  as  well  as  the  influx  of  a  more  traditional 
criminal  element. 

Ego  is  the  second  motivation  in  the  schema.6  Ego 
motivates  individuals  through  the  feelings  of  accom¬ 
plishment  that  accompany  overcoming  a  particularly 
difficult  technical  obstacle.  Actions  such  as  getting  a 
hardware  device  to  do  something  that  was  thought 
impossible,  writing  a  complicated  piece  of  code  that 
intelligently  adapts  to  situations,  or  bypassing  a  so¬ 
phisticated  security  system  such  as  a  firewall  or  intru¬ 
sion  detection  system  are  all  examples  of  behaviors 
associated  with  the  ego  motivation.  Note  that  the  ac¬ 
tions  do  not  necessarily  have  to  be  malicious  in  na¬ 
ture-even  difficult  obstacles  that  are  overcome  in  the 
course  of  lawful  employment  relate  to  this  motivation. 

The  third  motivation  for  malicious  online  acts  is 
entrance  to  a  social  group.  Hacking  groups  are  more 
or  less  status-homogenous  in  terms  of  technical  exper¬ 
tise.7  While  there  is  likely  a  leader  of  the  hacking  group 
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who  possesses  somewhat  higher  levels  of  skill  and  ex¬ 
pertise,  the  majority  of  the  individual  group  members 
have  somewhat  similar  levels  of  technical  proficiency, 
although  it  is  likely  that  individuals  are  proficient  in 
different  areas,  such  as  different  operating  systems  or 
programming  languages.  This  means  that  in  order  for 
an  individual  to  join  the  group,  that  individual  must 
possess  levels  of  expertise  similar  to  the  members  of 
the  group  he  or  she  wishes  to  join.  The  key  question 
is,  how  do  prospective  candidates  demonstrate  their 
level  of  expertise?  It  is  almost  certain  that  the  mem¬ 
bers  of  the  hacking  group  will  not  consider  the  word 
of  the  candidate  at  face  value.  One  of  the  pathways 
in  which  the  prospects  can  demonstrate  their  skills  is 
writing  an  elegant  piece  of  malicious  code.  Once  writ¬ 
ten,  the  code  goes  to  the  hacking  group,  which  in  turn 
evaluates  its  function  and  programming  aesthetic.  If 
the  group  feels  the  code  displays  at  least  the  minimum 
skill  level  necessary  to  belong  to  the  group,  it  will  ad¬ 
mit  the  candidate.  The  code  itself  is  often  given  to  the 
members  of  the  group  as  a  sort  of  "initiation  fee." 

Cause  is  the  fourth  motivation  for  malicious  online 
actors.  Cause  is  defined  as  the  use  of  technical  exper¬ 
tise  or  skill  in  the  pursuit  of  political,  social,  cultural, 
ideological,  religious,  or  nationalistic  goals.8  Hacktiv- 
ism  is  one  of  the  more  common  types  of  malicious 
online  behavior.  The  most  common  hacktivism  events 
often  take  the  form  of  website  defacements.  Examples 
of  hacktivism  include  the  long-running  attack  by 
the  group  Anonymous  on  the  Church  of  Scientology 
starting  in  2008, 9  attacks  on  Australian  government 
websites  by  individuals  upset  by  government  plans 
to  censor  the  Internet,10  and  the  continuing  saga  of 
the  Wikileaks  exposure  of  hundreds  of  thousands  of 
classified  documents.11  Cause  may  also  take  the  form 
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of  individuals  launching  a  cyber  attack  against  as¬ 
sets  of  a  foreign  country  or  even  their  own  country 
in  response  to  government  actions  that  the  individu¬ 
als  find  objectionable.  This  specific  instance  of  cyber 
attacks  motivated  by  cause  defines  the  actions  of  the 
civilian  cyber  warrior. 

Entertainment  is  probably  the  least  known  and 
least  common  motivation  for  malicious  online  acts.  Its 
origins  probably  emanate  from  the  early  beginnings 
of  the  hacker  community.  During  these  early  days, 
humor  often  served  a  functional  purpose  in  sharing 
common  values  by  constructing  humorous  stories  and 
tales  that  contained  plays  on  technical  terms  and  con¬ 
cepts.  Humor  also  functioned  as  a  mild  form  of  social 
control  —  playing  a  humorous  prank  or  joke  on  another 
hacker  or  system  administrator  often  brought  a  bit  of 
humility  to  the  victim  and  returned  a  sense  of  balance 
to  the  social  situation.  Compromising  a  machine  and 
leaving  a  humorous  taunt  directed  at  its  system  ad¬ 
ministrator  for  the  lack  of  security  controls  at  the  com¬ 
promised  machine  was  a  not-too-uncommon  event. 

Entertainment  as  a  motivation  for  acts  — malicious 
or  not— appeared  to  decline  for  some  time  after  the 
early  years  but  has  recently  made  a  resurgence.  This 
increase  in  incidences  of  the  entertainment  motiva¬ 
tion  may  be  due  in  part  to  the  preponderance  of  po¬ 
tential  victims  — the  influx  of  less  technical  individu¬ 
als  into  the  hacking  community  as  well  as  the  tidal 
wave  of  technically  challenged  people  pouring  onto 
the  web  has  likely  facilitated  the  popular  return  of 
this  motivation. 

The  final  motivation  is  that  of  status.  The  hacking 
community  can  be  described  as  a  strong  meritocracy.12 
The  position  of  individuals  in  the  status  hierarchy  of 
their  hacking  group  depends  upon  the  level  of  techni- 
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cal  skills  and  expertise  they  possess  relative  to  other 
members  of  the  group.  The  higher  the  level  of  exper¬ 
tise,  the  higher  the  status  of  the  individual  is  in  that 
hacking  group.  Note  that  this  positive  relationship  is 
also  salient  when  an  individual  in  one  hacking  group 
is  compared  to  another  hacker  in  the  larger  hacking 
community.  The  person  with  the  higher  level  of  skills 
possesses  the  relatively  higher  status. 

As  was  the  case  with  the  entrance  to  social  group 
motivation,  the  validation  of  one's  expertise  and  thus 
one's  status  within  the  hierarchy  can  be  difficult  to 
achieve.  The  difficulties  in  proving  authorship  of  an 
elegant  piece  of  code,  especially  to  someone  outside 
one's  normal  hacking  group,  make  this  avenue  of  vali¬ 
dation  more  problematic.  One  avenue  that  does  appear 
to  work  is  the  acquisition  of  status  through  contests  of 
skill,  which  often  occurs  at  hacker  conventions.  Typi¬ 
cally  these  are  some  variation  of  "capture  the  flag" 
contests,  in  which  the  objective  of  the  contest  is  to  use 
your  hacking  skills  and  expertise  to  compromise  com¬ 
puter  systems  in  order  to  typically  search  out  and  find 
a  catch  phrase  or  encryption  key  — the  possession  of 
which  provides  evidence  that  the  contestant  possesses 
the  requisite  knowledge  and  skill  to  compromise  the 
computer  and  acquire  the  flag. 

A  similar  exercise  involving  employment  of  ma¬ 
licious  online  acts  in  the  wild  can  also  lead  to  status 
acquisition  and  validation.  One  example  of  this  is  the 
acquisition  of  secret  documents  as  a  means  to  gain  sta¬ 
tus.  In  this  situation,  one  assumes  that  the  secret  docu¬ 
ments  have  such  value  that  they  are  heavily  protected 
by  a  number  of  sophisticated  means  often  in  some  sort 
of  defense  in-depth  configuration.  In  order  to  come 
into  possession  of  electronic  copies  of  these  secret 
documents,  the  malicious  actor  must  use  a  significant 
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amount  of  technical  expertise  and  skill  to  break  into 
the  server  without  detection  and  exfiltrate  copies  of 
the  secret  documents. 

One  interesting  consequence  of  obtaining  status 
this  way  is  that  in  the  end,  status  exists  within  the  pos¬ 
session  of  the  secret  documents.  That  is,  these  docu¬ 
ments  are  status  objects  — they  are  items  that  in  and  of 
themselves  impart  status  and  have  status.  If  the  mali¬ 
cious  actor  publicizes  or  distributes  the  secret  docu¬ 
ments  to  his  or  her  friends,  then  that  actor  in  effect 
expends  the  status  value  that  these  documents  have. 
Once  they  become  collectively  owned,  they  lose  their 
status  value  and,  consequently,  the  malicious  actor 
loses  status  at  the  same  time.  This  is  one  reason  why, 
perhaps,  in  the  case  of  Wikileaks,  the  principal  actor  in 
the  incident— Julian  Assange— was  loathe  to  disclose 
all  of  the  documents  at  once  because  he  would  have 
expended  all  of  their  status  value  and  would  have 
subsequently  lost  most  of  the  status  that  was  associ¬ 
ated  with  their  exclusive  possession. 

THE  EMERGENCE  OF  THE  CIVILIAN 
CYBER  WARRIOR 

The  past  few  years  have  been  witness  to  a  signifi¬ 
cant  focus  on  cyber-based  threats.  The  realization  of 
the  vulnerability  of  the  nation's  critical  infrastructures 
and  the  military  to  digitally  based  attacks  has  generat¬ 
ed  a  flurry  of  interest  and  activity  both  by  parties  with 
substantial  interests  in  the  area  — such  as  governmen¬ 
tal  entities  carrying  out  national  security  directives  — 
and  within  the  military,  where  they  deploy  not  only 
defensive  strategies,  but  offensive  strategies  as  well. 
The  cyber  arena  has  turned  into  the  next  battlefield. 
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The  focus  on  the  malicious  actors  targeting  criti¬ 
cal  infrastructures  in  most  of  these  scenarios  has  been 
directed  at  the  elements  of  foreign  nation-state  intelli¬ 
gence  organizations  or  military  forces  and  previously 
identified  foreign  terrorist  groups.13  What  has  often 
been  lost  in  the  rush  to  protect  critical  infrastructures 
from  digital  attack  is  the  idea  that  isolated  individuals 
or  small  groups  of  individuals  are,  to  a  great  extent,  an 
unseen  emerging  threat  vector  to  the  nation's  critical 
infrastructure. 

What  are  the  possible  social  dynamics  behind 
this  emerging  threat?  One  central  theme  may  be  how 
technology  is  driving  shifts  in  power  relationships 
between  nation-states  and  individuals.  Foucault  dis¬ 
cusses  at  length  the  relationship  between  knowledge 
and  power.14  His  argument  might  extend  to  the  pow¬ 
er-knowledge  relationship  within  the  possession  of 
expert  knowledge  of  technical  aspects  of  integral  digi¬ 
tal  control  and  communications  systems  embedded 
within  national  critical  infrastructure.  As  Mathews  ob¬ 
serves,  "information  technologies  disrupt  hierarchies, 
spreading  power  among  more  people  and  groups."15 

The  key  concept  here  is  that  perhaps  for  the  first 
time  in  history,  a  regular  civilian  can  effectively  at¬ 
tack  a  nation-state  —  in  this  case  through  a  cyber  at¬ 
tack  on  some  component  of  that  nation-state's  critical 
infrastructure.  "Effective"  in  this  sense  means  that 
the  attack  can  cause  significant  widespread  damage 
and  has  a  reasonably  high  probability  of  success  and  a 
low  probability  of  the  perpetrator  being  apprehended. 
While  some  might  argue  that  political  assassination 
might  already  be  an  existing  instance  of  this,  the  ques¬ 
tions  surrounding  the  probability  of  success  and  cer¬ 
tainly  around  avoiding  being  apprehended  make  this 
less  likely  to  be  the  case. 
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An  example  of  how  this  shift  in  the  balance  of 
power  between  nation-state  and  individual  may  help 
the  reader  grasp  the  magnitude  of  the  social-psycho- 
logical  shifts  in  thinking.  Imagine  that  you  are  a  citi¬ 
zen  of  country  A  and  the  government  of  country  B  is 
the  direct  causal  agent  for  some  significant  actions 
that  negatively  affect  your  homeland  and  its  people. 
Prior  to  the  emergence  of  the  Internet,  an  individual 
might  write  a  letter  to  the  President  of  country  B  and 
tell  him  or  her  why  they  object  to  Country  B's  actions. 
What  is  the  likely  result?  Probably  nothing  happens 
that  changes  the  actions  or  consequences  of  country  B. 

So  this  individual  joins  individuals  who  have  simi¬ 
lar  feelings  and  meet  at  the  embassy  of  country  B  to 
protest.  What  is  the  likely  outcome  of  this  action?  The 
individual  is  likely  to  be  arrested  or  injured  by  the 
crowd  or  police  action  without  it  having  any  real  effect 
on  country  B.  As  the  next  step  in  the  escalation,  this  in¬ 
dividual  cashes  out  his  or  her  bank  account  and  trav¬ 
els  to  country  B,  obtains  some  explosives  and  plots  to 
damage  a  government  building.  Again,  the  outcome  is 
likely  not  to  be  favorable.  There  is  a  reasonable  chance 
that  the  individual  will  be  detected  by  intelligence 
agents  and/or  law  enforcement  and  arrested  before 
he  or  she  has  the  opportunity  to  carry  out  the  plan. 
Another  possible  outcome  is  that  the  individual  ends 
up  blowing  him  or  herself  up  while  preparing  the  ex¬ 
plosive  device.  Finally,  even  if  the  individual  manages 
to  execute  the  plot,  he  or  she  is  likely  to  be  arrested 
and,  while  the  damage  to  the  target  might  be  signifi¬ 
cant,  in  an  overall  sense  the  nation-state  and  people  of 
Country  B  are  intact. 

This  example  just  reinforces  the  idea  that  a  cyber 
attack  on  a  national  asset  is  a  much  more  attractive 
path,  because  it  likely  has  significantly  more  favorable 
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outcomes  to  the  malicious  actor.  If  this  is  the  case,  then 
why  haven't  widespread  incidents  involving  isolated 
individuals  launching  serious  cyber  attacks  against 
national  critical  infrastructures  occurred  more  often? 
Rogers  suggests  that  it  is  because  criminals  have  been 
"reluctant  to  cross  certain  ethical  boundaries"  that 
perhaps  terrorists  are  willing  to  cross.16  A  more  likely 
reason  is  that  this  potential  shift  in  the  power  relation¬ 
ship  between  individuals  and  the  nation-state  has  just 
not  reached  cultural  salience.  As  the  salience  of  the 
shift  in  power  balance  diffuses  into  the  more  general 
population,  in  combination  with  the  development  and 
distribution  adaptation  of  sophisticated  cyber  attack 
tools  for  less  technical  end  users,  the  pool  of  potential 
malicious  attackers  who  pose  threats  to  online  systems 
and  critical  infrastructures  steadily  grows. 

Eventually  one  may  begin  to  see  the  consequences 
of  this  sequence  of  events;  hence,  the  importance  of 
understanding  more  about  the  potential  emerging 
threat  from  the  civilian  cyber  warrior.  One  of  the  first 
things  that  one  might  want  to  investigate  in  the  chain 
of  actions  for  a  terrorist  act  is  the  initial  starting  point 
where  individuals  begin  thinking  about  and  rehears¬ 
ing  in  their  minds  the  nature,  method,  and  target  for 
the  terrorist  attack.  What  does  one  know  about  the 
propensity  of  individuals  in  the  more  general  popu¬ 
lation  to  contemplate  a  terrorist  act?  What  would  be 
the  magnitude  or  severity  of  damage  that  someone 
might  consider  justified?  There  is  a  paucity  of  research 
focusing  on  this  area,  especially  from  a  cyber  attack 
perspective.  The  following  analyses  are  some  prelimi¬ 
nary  results  from  a  recent,  ongoing  study  of  severity 
predictors  of  an  attack  on  a  foreign  country's  critical 
infrastructure,  and  the  severity  levels  of  an  attack  di¬ 
rected  at  one's  own  homeland. 
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METHODOLOGY 


The  following  analyses  use  preliminary  data  col¬ 
lected  from  a  study  by  Holt  and  Kilger.17  The  sample 
for  this  study  comes  from  undergraduate  and  gradu¬ 
ate  students  at  a  large  Midwestern  U.S.  university. 
Students  received  an  email  inviting  them  to  partici¬ 
pate  in  the  study;  embedded  within  the  email  was  a 
link  to  the  online  survey.  A  preliminary  sample  of  357 
students  completed  the  survey  for  the  purposes  of  this 
analysis.  The  survey  itself  consisted  of:  measures  for 
the  level  of  technical  expertise;  hours  spent  online; 
questions  about  previous  history  of  ethical  conduct 
using  computers;  nationalism;  country  considered  to 
be  one's  homeland;  out-group  antagonism  measures; 
demographics;  and  other  relevant  measures. 

The  study  design  was  a  2  x  2  factorial  design.  The 
first  factor  is  type  of  attack  — cyber  or  physical.  One 
of  the  objectives  of  the  study  was  to  investigate  the 
potential  relationship  between  cyber  and  physical 
attacks  on  critical  infrastructure.  The  second  factor 
was  the  target  country.  The  target  country  could  be 
a  nation-state  that  the  respondent  did  not  consider  to 
be  his  or  her  country  or  homeland  —  that  is,  a  foreign 
target.  Alternatively,  the  target  country  could  be  a 
nation-state  that  the  respondent  stated  was  his  or  her 
homeland  or  own  country  —  that  is,  a  homeland  target. 
The  homeland  target  was  felt  to  be  especially  relevant 
in  gaining  some  understanding  of  which  independent 
variables  might  be  associated  with  an  attack  on  one's 
own  domestic  critical  infrastructure.  The  study  design 
appears  in  Table  3-1. 
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Target  of  Attack 

Type  of  Attack 

Foreign  Country 

Homeland 

Cyber 

Cell  1 

Cell  2 

Physical 

Cell  4 

Cell  3 

Table  3-1.  Dependent  Variable  Design. 

The  dependent  variable  was  the  severity  of  the 
attack  that  the  respondent  felt  was  appropriate  for 
the  individual  scenario  outlined  in  each  of  the  four 
study  cells.  The  scenario  for  a  physical  attack  on  a 
foreign  country  had  the  following  instructions  to 
the  respondent: 

Imagine  that  the  country  of  Bagaria  has  recently  pro¬ 
moted  national  policies  and  taken  physical  actions 
that  have  had  negative  consequences  to  the  country 
that  you  most  closely  associate  as  your  home  country 
or  homeland.  These  policies  and  actions  have  also  re¬ 
sulted  in  significant  hardships  for  the  people  in  your 
home  country.  What  actions  do  you  think  would  be 
appropriate  for  you  to  take  against  Bagaria  given  their 
policies  and  physical  actions  against  your  home  coun¬ 
try?  You  may  choose  as  many  actions  as  you  think  the 
situation  warrants.  In  this  scenario,  you  may  assume 
that  you  have  the  necessary  skills  to  carry  out  any  of 
the  actions  below. 

Following  the  instructions  was  a  set  of  possible  ac¬ 
tions  the  respondent  could  take.  These  actions  were 
ordered  from  lowest  severity  —  doing  nothing  — to 
the  highest  severity  response  — in  this  case,  travel  to 
Bagaria  and  damage  a  government  building  with  an 
explosive  device.  There  were  eight  categories  in  all. 
Note  that  respondents  were  instructed  to  assume  that 
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they  had  the  abilities  to  carry  out  any  of  the  responses. 
This  was  to  ensure  that  they  did  not  reject  any  category 
response  because  they  felt  they  did  not  have  the  skills 
or  logistics  to  carry  out  that  action  successfully.  Also 
note  that  respondents  were  allowed  to  select  more 
than  one  action.  This  conformed  potential  reactions  to 
real-world  situations  in  which  multiple  attacks  might 
be  contemplated  as  well  as  to  provide  for  more  layers 
of  complexity  within  the  dependent  variable. 

The  cyber  attack  scenario  had  similar  instructions 
but,  of  course,  had  a  different  set  of  category  respons¬ 
es  available  for  the  respondent  to  select.  Here  are  the 
instructions  for  the  second  part  of  the  foreign  target 
country  scenario: 

Aside  from  physical  activity,  what  online  activities 
do  you  think  would  be  appropriate  for  you  to  take 
against  Bagaria  given  their  policies  and  physical  ac¬ 
tions  against  your  home  country?  You  may  choose  as 
many  actions  as  you  think  the  situation  warrants.  In 
this  scenario,  you  may  assume  that  you  have  the  nec¬ 
essary  skills  to  carry  out  any  of  the  actions  below. 

There  were  nine  possible  response  categories  or¬ 
dered  by  level  of  severity,  ranging  from  doing  nothing 
to  compromising  a  nuclear  power  plant  with  the  sub¬ 
sequent  release  of  a  small  amount  of  radiation.  Again, 
respondents  could  assume  they  had  the  skills  neces¬ 
sary  to  carry  out  the  attack.  They  also  could  — as  was 
the  case  for  physical  attack  responses  —  select  multiple 
attacks  with  differing  levels  of  severity. 

The  remaining  two  cells  of  the  design  involved 
retaliation  against  the  respondent's  home  country  in¬ 
frastructure  (e.g.,  domestic  terrorist  attack)  for  actions 
that  his  or  her  homeland  or  home  country  had  taken 


66 


against  its  own  people.  Here  are  the  scenario  instruc¬ 
tions  for  the  physical  homeland  attack: 

Imagine  that  the  country  that  you  most  closely  associ¬ 
ate  as  your  home  country  or  homeland  has  recently 
promoted  national  policies  and  taken  physical  actions 
that  have  had  negative  consequences  to  your  home 
country.  These  policies  and  actions  have  resulted  in 
significant  hardships  for  the  people  in  your  home 
country.  What  actions  do  you  think  would  be  appro¬ 
priate  for  you  to  take  against  your  home  country  given 
their  policies  and  physical  actions?  You  may  choose 
as  many  actions  as  you  think  the  situation  warrants. 

In  this  scenario,  you  may  assume  that  you  have  the 
necessary  skills  to  carry  out  any  of  the  actions  below. 

These  instructions  were  followed  by  the  same  set 
of  eight  potential  responses  as  found  in  the  physical 
attack  measure  and  ordered  once  again  by  severity 
from  low  to  high.  Similarly,  the  cyber  attack  scenario 
on  the  respondent's  own  homeland  or  home  country 
had  the  following  instructions: 

Aside  from  physical  activity,  what  online  activities 
do  you  think  would  be  appropriate  for  you  to  take 
against  your  home  country  given  their  policies  and 
physical  actions?  You  may  choose  as  many  actions  as 
you  think  the  situation  warrants.  In  this  scenario,  you 
may  assume  that  you  have  the  necessary  skills  to  carry 
out  any  of  the  actions  below. 

Again,  these  scenario  instructions  had  the  same  set 
of  cyber  attack  responses  as  was  the  case  for  the  cyber 
attack  against  Bagaria's  critical  infrastructure. 

Because  all  of  the  respondents  provided  answers 
to  each  of  the  four  scenarios,  this  study  design  fa¬ 
cilitated  the  examination  of  a  number  of  important 
variations  in  the  nature  of  the  attack  of  an  individual 
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on  a  nation-state  as  well  as  the  potential  relationship 
between  the  severity  of  potential  cyber  attacks  and 
physical  attacks. 

RESULTS  AND  DISCUSSION 

The  results  presented  in  this  chapter  are  prelimi¬ 
nary,  because  of  the  fact  that  more  data  are  being 
collected  for  the  study.  In  addition,  the  authors  of 
the  study  are  still  engaged  in  developing  and  testing 
a  number  of  multivariate  statistical  models  incorpo¬ 
rating  a  number  of  independent  predictor  variables 
available  in  the  data.  However,  because  of  the  unique 
nature  of  this  study,  some  initial  descriptive  results 
and  simple  univariate  tests  will  be  reported  here. 

First,  an  examination  of  the  frequency  distribu¬ 
tion  for  the  dependent  variables  for  each  of  the  four 
cells  in  the  study  is  useful.  The  response  frequencies 
for  a  physical  attack  on  a  foreign  country  appear  in 
Table  3-2. 


Action 

Percent  Response 

Do  nothing — let  your  country  work  it  out  on  its  own 

37.8% 

Write  a  letter  to  government  of  Bagaria  protesting  their  actions 

53.6% 

Participate  in  a  protest  at  an  anti-Bagaria  rally 

56.6% 

Travel  to  Bagaria  and  protest  at  their  country's  capitol  building 

23.8% 

Travel  to  Bagaria  and  confront  a  Bagarian  senior  government  of¬ 
ficial  about  their  policies 

20.0% 

Travel  to  Bagaria  and  sneak  into  a  military  base  to  write  slogans 
on  buildings  and  vehicles 

1.3% 

Travel  to  Bagaria  and  physically  damage  an  electrical  power 
substation 

2.6% 

Travel  to  Bagaria  and  damage  a  government  building  with  an 
explosive  device 

0.9% 

Table  3-2.  Physical  Attack  Frequencies  on  Foreign 

Country. 
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Fewer  than  38  percent  of  respondents  felt  that  do¬ 
ing  nothing  was  an  appropriate  response  to  the  sce¬ 
nario.  The  most  popular  responses  appeared  to  be 
writing  a  letter  (53.6  percent)  or  protesting  at  a  rally 
against  Bagaria  (56.6  percent).  Interestingly,  a  non¬ 
trivial  percentage  of  respondents  would  consider 
traveling  to  Bagaria  to  participate  in  some  sort  of  civil 
disobedience  —  either  protesting  in  the  capital  (23.8 
percent)  or  confronting  a  senior  government  official 
(20.0  percent).  Finally,  a  small  but  nonetheless  trou¬ 
bling  number  of  respondents  would  consider  sneak¬ 
ing  onto  a  military  base  (1.3  percent),  damaging  a 
power  station  (2.6  percent),  or  damaging  a  Bagarian 
government  building  with  an  explosive  device  (0.9 
percent18).  Now  compare  this  to  the  responses  that 
an  individual  respondent  would  make  in  conducting 
a  cyber  attack  against  a  nation-state.  Table  3-3  below 
reveals  the  frequency  distribution  for  a  cyber  attack 
on  a  foreign  country. 

About  36  percent  of  the  respondents  indicated  that 
doing  nothing  in  terms  of  mounting  a  cyber  attack 
against  Bagaria  was  an  acceptable  response.  Inter¬ 
estingly,  over  75  percent  of  the  respondents  felt  that 
posting  a  comment  criticizing  the  Bagarian  govern¬ 
ment  was  an  appropriate  response.  This  should  not 
be  surprising,  given  the  involvement  of  a  large  pro¬ 
portion  of  the  online  population  in  social  networks. 
It  may  also  suggest  that  social  networks  may  serve  a 
functional  purpose  in  providing  a  nondestructive  way 
in  which  individuals  can  register  their  displeasure  at  a 
government  or  nation-state. 
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Action 

Percent  Response 

Do  nothing  — let  your  country  work  it  out  on  its  own 

36.2% 

Post  a  comment  on  a  social  networking  website  like  Facebook  or 
Twitter  that  criticizes  the  Bagarian  government 

75.3% 

Deface  the  personal  website  of  an  important  Bagarian  government 
official 

11.2% 

Deface  an  important  official  Bagarian  government  website 

10.2% 

Compromise  the  server  of  a  Bagarian  bank  and  withdraw  money 
to  give  to  the  victims  of  their  policies  and  actions 

5.1% 

Search  Bagarian  government  servers  for  secret  papers  that  you 
might  be  able  to  use  to  embarrass  the  Bagarian  government 

8.5% 

Compromise  one  or  more  Bagarian  military  servers  and  make 
changes  that  might  temporarily  affect  their  military  readiness 

6.4% 

Compromise  one  of  Bagaria’s  regional  power  grids,  which  results 
in  a  temporary  power  blackout  in  parts  of  Bagaria 

2.6% 

Compromise  a  nuclear  power  plant  system,  which  results  in  a 
small  release  of  radioactivity  in  Bagaria 

0.4% 

Table  3-3.  Cyber  Attack  Frequencies  on 
Foreign  Country. 

Moving  up  the  severity  scale  in  Table  3-3,  a  nontriv¬ 
ial  number  of  respondents  would  engage  in  some  sort 
of  website  defacement  — 11.2  percent  would  deface  the 
website  of  a  specific  government  official,  while  10.2 
percent  would  deface  a  more  general  Bagarian  gov¬ 
ernment  website.  While  website  defacement  generally 
is  considered  rather  modest  damage  as  far  as  cyber 
attacks  go,  it  is  still  an  illegal  act  and  can  cause  signifi¬ 
cant  embarrassment  to  the  targeted  government. 

The  remaining  response  categories  in  Table  3-3 
are  cyber  attacks  that  are  more  serious  in  nature.  A 
little  over  5  percent  of  the  respondents  would  attack  a 
Bagarian  financial  institution  and  distribute  the  stolen 
funds  to  victims  of  the  Bagarian  government's  actions. 
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In  addition,  about  8.5  percent  of  respondents  would 
steal  secret  government  documents  to  embarrass  the 
Bagarian  government  a  la  the  Wikileaks  incident. 

Now  looking  at  attacks  that  were  more  directly  fo¬ 
cused  upon  a  nation-state  itself,  about  6.4  percent  of 
respondents  would  consider  a  cyber  attack  against  a 
foreign  country's  military  as  an  appropriate  response 
to  actions  taken  by  that  country.  Finally,  looking  at 
cyber  attacks  that  were  more  specifically  focused 
on  a  country's  critical  infrastructure,  2.6  percent  of 
respondents  would  consider  an  attack  on  another 
country's  electrical  grid  as  an  appropriate  response, 
while  0.4  percent  of  respondents  would  consider  at¬ 
tacking  a  nuclear  power  plant  in  a  foreign  country 
as  appropriate  retaliation  for  acts  committed  by  that 
foreign  country. 

An  initial  examination  of  the  severity  of  physical 
attacks  and  cyber  attacks  that  respondents  feel  were 
appropriate  to  launch  against  a  foreign  country  brings 
both  good  news  and  bad  news  to  the  table.  On  the  one 
hand,  the  vast  majority  of  respondents  select  only  re¬ 
sponses  that  had  minor  or  no  consequences  to  the  tar¬ 
geted  foreign  country.  On  the  other  hand,  there  are  a 
nontrivial  number  of  respondents  who  personally  ad¬ 
vocated  the  use  of  physical  and  cyber  attacks  against 
a  foreign  country  that  would  have  some  moderate  to 
very  serious  consequences.  While  there  is  some  com¬ 
fort  to  be  had  in  the  fact  that  expressing  intentions  to 
commit  terrorist  acts  is  only  the  first  link  in  the  be¬ 
havioral  chain  from  ideation  to  the  execution  of  an  at¬ 
tack,  and  bearing  in  mind  that  this  is  a  scenario-based 
situation,  even  a  small  incidence  of  individuals  who 
would  consider  some  of  the  most  serious  acts  is  trou¬ 
bling.  This  suggests  that  the  emergence  of  the  civilian 
cyber  warrior  (and  perhaps  the  physical  attack  coun- 
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terpart)  is  an  event  that  should  be  taken  into  account 
when  developing  policies  and  distributing  resources 
across  national  priorities  to  protect  national  critical 
infrastructure. 

In  contrast  to  the  previous  scenarios,  in  which  feel¬ 
ings  of  nationalism  may  have  played  a  substantial  part 
in  the  motivation  of  individuals  to  react  with  more 
severe  physical  or  cyber  attack  responses  against  a 
foreign  nation-state,  attacks  against  one's  own  coun¬ 
try  go  against  many  of  these  nationalistic  sensibilities. 
Nonetheless,  domestic  terrorism  has  in  recent  years 
gained  significant  national  attention,  both  in  the  press 
as  well  as  within  federal  law  enforcement  agencies. 

The  particular  design  of  this  study  introduces  an 
additional  interesting  but  valuable  complexity  to  this 
and  future  analyses.  Approximately  10.4  percent  of  the 
respondents  completing  the  survey  identified  them¬ 
selves  as  having  a  homeland  that  was  not  the  United 
States.  Therefore,  the  homeland  that  they  referred  to 
in  these  next  two  scenarios  was  not  the  United  States 
but  rather  a  foreign  country.  This  means  that  it  is  pos¬ 
sible  to  make  comparisons  of  attacks  on  the  homeland 
when  that  homeland  is  the  United  States  and  when 
it  is  a  foreign  country.  This  may  provide  some  addi¬ 
tional  perspective  on  cross-cultural  differences  in  the 
civilian  cyber  warrior  phenomenon.19 

The  first  scenario  is  the  one  featuring  a  physical 
attack  against  one's  own  homeland.  Table  3-4  displays 
the  frequency  distribution  for  the  same  response  set 
that  was  used  in  the  physical  attack  against  a  foreign 
country  scenario  discussed  earlier. 
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Action 

Percent  Response 

Do  nothing — let  your  country  work  it  out  on  its  own 

28.9% 

Write  a  letter  to  government  of  Bagaria  protesting  their  actions 

68.9% 

Participate  in  a  protest  at  an  anti-Bagaria  rally 

60.0% 

Travel  to  Bagaria  and  protest  at  their  country’s  capitol  building 

51.5% 

Travel  to  Bagaria  and  confront  a  Bagarian  senior  government  of¬ 
ficial  about  their  policies 

28.5% 

Travel  to  Bagaria  and  sneak  into  a  military  base  to  write  slogans 
on  buildings  and  vehicles 

2.1% 

Travel  to  Bagaria  and  physically  damage  an  electrical  power 
substation 

1.7% 

Travel  to  Bagaria  and  damage  a  government  building  with  an 
explosive  device 

0.9% 

Compromise  a  nuclear  power  plant  system,  which  results  in  a 
small  release  of  radioactivity  in  Bagaria 

0.4% 

Table  3-4.  Physical  Attack  Frequencies 
on  Homeland. 

Approximately  28.9  percent  of  respondents  stated 
that  doing  nothing  to  their  homeland  was  an  appro¬ 
priate  response.  Interestingly,  this  percentage  was 
substantially  smaller  than  that  found  in  the  foreign 
country  example  (37.8  percent).  Perhaps  one  reason 
this  is  the  case  is  because  of  the  potency  of  negative 
feelings  that  an  individual  feels  when  one's  own  coun¬ 
try  commits  acts  against  its  own  citizens. 

Following  that  pattern,  substantially  more  re¬ 
spondents  selected  writing  a  letter  (68.9  percent)  or 
attending  a  protest  rally  (60.0  percent)  against  their 
own  country  than  was  the  case  when  the  offending 
nation-state  was  a  foreign  country.  Similarly,  more 
people  were  willing  to  travel  to  their  own  capitol  city 
and  either  protest  (51.5  percent)  or  confront  their  own 
government  official  (28.5  percent)  than  in  the  foreign 
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country  physical  attack  scenario.  Vandalizing  the  mil¬ 
itary  property  belonging  to  one's  own  armed  forces 
had  an  incidence  of  2.1  percent,  while  attacking  one's 
own  national  critical  infrastructure  had  incidence  rates 
of  1.7  percent  for  an  attack  on  the  power  grid  and  0.9 
percent  for  an  attack  on  a  nuclear  plant.  A  comparison 
of  these  last  three  attack  responses  between  the  for¬ 
eign  country  as  target  and  the  homeland  as  target  did 
not  appear  to  reveal  a  consistent  pattern,  as  was  the 
case  for  other  scenarios. 

The  final  scenario  involved  cyber  attacks  against 
one's  own  country  or  homeland.  The  frequency  distri¬ 
bution  for  this  scenario  appears  in  Table  3-5. 

Almost  36  percent  of  respondents  felt  that  doing 
nothing  was  an  appropriate  response  when  consider¬ 
ing  a  cyber  attack  on  their  homeland.  Again,  about  75 
percent  of  respondents  would  post  a  critical  comment 
about  their  own  country  on  a  social  network  — very 
similar  to  the  foreign  country  cyber  attack  scenario. 
Defacing  the  website  of  a  specific  government  official 
in  their  own  government  received  a  12.8  percent  re¬ 
sponse,  while  defacing  a  more  general  government 
website  was  chosen  by  11.5  percent  of  respondents  as 
an  appropriate  response.  Approximately  4.3  percent 
of  respondents  would  extract  funds  from  a  bank  based 
in  their  own  country  to  distribute  to  the  victims  of  ag¬ 
gressive  action  on  the  part  of  their  own  homeland. 


74 


Action 

Percent  Response 

Do  nothing — let  your  country  work  it  out  on  its  own 

35.7% 

Post  a  comment  on  a  social  networking  website  like  Facebook  or 
Twitter  that  criticizes  your  home  country's  government 

75.3% 

Deface  the  personal  website  of  an  important  government  official 
for  your  home  country 

12.8% 

Deface  an  important  official  government  website  for  your  home 
country 

11.5% 

Compromise  the  server  of  a  bank  and  withdraw  money  to  give  to 
the  victims  of  the  government's  policies  and  actions 

4.3% 

Search  your  home  country's  government  servers  for  secret  pa¬ 
pers  that  you  might  be  able  to  use  to  embarrass  the  government 

8.9% 

Compromise  one  or  more  of  your  home  country's  military  servers 
and  make  changes  that  might  temporarily  affect  their  military 
readiness 

4.7% 

Compromise  one  of  your  home  country’s  regional  power  grids, 
which  results  in  a  temporary  power  blackout  in  parts  of  your 
home  country 

1.7% 

Compromise  a  nuclear  power  plant  system,  which  results  in  a 
small  release  of  radioactivity  in  your  home  country 

0.9% 

Table  3-5.  Cyber  Attack  Frequencies  on  Homeland. 

A  surprising  8.9  percent  would  consider  actions  akin 
to  a  Wikileaks  event,  in  which  they  would  attempt 
to  exfiltrate  copies  of  secret  documents  in  order  to 
embarrass  their  own  government.  Almost  5  percent 
would  use  a  cyber  attack  to  reduce  the  readiness  of 
their  own  military  forces.  A  little  over  1.7  percent  of 
respondents  would  attack  their  own  national  power 
grid,  while  just  0.9  percent  suggested  that  attacking  a 
nuclear  power  plant  in  their  own  country  would  be  an 
appropriate  response. 

When  one  compares  the  homeland  cyber  at¬ 
tack  distribution  to  the  foreign  country  cyber  attack 
scenario  distribution,  it  seems  that  they  are  more 
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similar  in  shape  than  the  two  physical  attack  sce¬ 
nario  distributions.  It  is  unclear  why  this  might  be 
the  case;  perhaps  it  is  due  to  the  fact  that  the  physi¬ 
cal  attacks  require  actual  travel  for  some  of  the  for¬ 
eign  country  responses,  and  that  may  involve  more 
risk  than  the  cyber  attacks  in  which  it  does  not  mat¬ 
ter  where  the  attacking  individual  is  geograph¬ 
ically  located. 

Now  that  we  have  an  idea  of  the  frequency  distri¬ 
bution  of  the  variables  of  interest,  some  simple,  initial 
univariate  analyses  may  prove  useful  here.  One  of  the 
obvious  questions  concerns  the  hypothesis  that  there 
might  be  some  difference  between  the  severity  levels 
of  an  attack  based  on  whether  the  target  was  a  foreign 
country  or  someone's  own  homeland.  Controlling  for 
the  type  of  attack  facilitates  the  analysis,  because  the 
response  scales  involved  in  the  comparison  are  identi¬ 
cal.  For  these  and  subsequent  analyses,  given  the  mul¬ 
tiple  response  nature  of  the  response  variables,  one 
should  utilize  the  maximum  severity  response  as  the 
indicator  of  the  severity  of  the  response  chosen  by  the 
respondent.  That  is,  the  study  will  use  the  most  severe 
response  of  all  the  responses  the  respondent  selects 
for  a  particular  scenario.  A  simple  parametric  depen¬ 
dent  sample  paired  t-test  can  be  employed  for  these 
comparisons.  Severity  scores  range  from  one  to  eight 
for  physical  attack  responses  and  from  one  to  nine  for 
cyber  attacks,  with  the  highest  value  being  the  most 
severe  response. 

If  you  compare  target  countries  —  foreign  country 
versus  homeland  — the  first  thing  to  notice  in  table 
3-6  is  that  all  the  means  have  reasonably  small  val¬ 
ues  in  comparison  with  the  range  of  the  scale.  This  is 
the  result  of  most  of  the  respondents  selecting  attack 
responses  that  were  modest  in  their  level  of  severity. 
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If  there  is  some  silver  lining  in  this  cloud,  it  is  the  fact 
that  most  of  the  respondents  selected  either  no  ac¬ 
tion  or  actions  that  had  modest  consequences.  One 
would  not  want  to  live  in  a  world  where  the  results  re¬ 
vealed  variables  near  the  top  of  the  scale;  however,  in 
some  less  robust  countries,  this  generalization  might 
be  false. 


Comparison 

Mean  Severity 

T 

Df 

Sig  (2-tail) 

Cyber  Foreign 

1.62 

.57 

356 

.569 

Cyber  Homeland 

1.60 

Physical  Foreign 

2.94 

-7.80 

356 

<.001 

Physical  Homeland 

3.46 

Table  3-6.  Foreign  Versus  Homeland  Target. 

Interestingly,  there  is  no  evidence  supporting  a 
difference  in  mean  attack  severity  between  foreign 
and  homeland  targets  for  the  cyber  attack  scenarios. 
If  nationalistic  factors  were  involved  here,  one  would 
expect  a  more  severe  attack  directed  toward  the  for¬ 
eign  country.  Perhaps  the  fact  that  one  can  launch  this 
kind  of  attack  without  ever  being  physically  close  to 
the  target  may  have  some  effect,  which  attenuated  an 
individual's  propensity  to  launch  a  more  severe  attack 
on  one  type  of  target  than  the  other. 

Examining  the  mean  differences  for  the  physical 
attack  scenario,  a  statistically  significant  difference 
is  detected  — it  appears  that  respondents  selected  a 
more  severe  level  of  attack  for  their  own  homeland 
than  they  would  for  a  foreign  country.  Certainly,  it  is 
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not  traditional  nationalistic  factors  at  work  here.  One 
possible  reason  for  this  might  be  the  strong  reaction 
from  individuals  to  a  government  whose  actions  hurt 
their  own  people.  One  might  think  of  this  as  a  type 
of  nationalism  turned  "inside  out."  One  of  the  basic 
functions  of  government  is  to  obtain  and  maintain  the 
security  and  safety  of  its  people.  Governments  violate 
a  very  strong  cultural  norm  when  they  intentionally 
hurt  the  very  individuals  they  should  protect. 

Finally,  given  that  skill  plays  an  important  role  in 
the  strong  meritocracy  of  the  hacking  community,  this 
suggests  that  there  might  be  a  positive  relationship 
between  the  severity  of  an  attack  on  a  nation-state's 
infrastructure  and  the  skills  of  the  individual  select¬ 
ing  the  type  of  attack.  A  principle  components  factor 
analysis  was  performed  on  eight  measures  of  comput¬ 
er  skills,  such  as  installing  an  operating  system  or  han¬ 
dling  security  issues,  to  produce  a  factor  score-based 
variable  that  represents  claimed  technical  skills  by  the 
respondent. 

A  quick  look  at  Table  3.7  reveals  that  there  are 
weak  but  statistically  significant  positive  correlations 
between  the  skill  factor  variable  and  attack  severity 
across  all  four  attack  scenarios.  This  suggests,  as  one 
might  expect,  a  positive  correlation  between  cyber  at¬ 
tack  severity  and  skill  level  for  an  individual.  What 
is  more  surprising  is  that  these  correlations  also  exist 
between  technical  skills  and  physical  attack  severity. 
In  addition,  these  weak  but  detectable  correlations 
persist  across  both  homeland  and  foreign  country  tar¬ 
gets.  Although  caution  must  be  taken  because  these 
are  preliminary  data,  this  finding  may  suggest  that 
individuals  with  technical  skills  may  pose  multidi¬ 
mensional  threats  to  critical  infrastructure  elements.  It 
also  suggests  that  there  could  be  some  crossover  in  the 
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mode  of  attack  for  individuals.  This  may  be  especial¬ 
ly  enlightening  in  the  scenario  in  which  individuals 
whose  traditional  mode  of  attack  is  cyber-based  might 
transition  to  either  a  blend  of  cyber  and  physical  at¬ 
tack  or  eventually  migrate  to  a  strictly  physical  attack. 


Scenario 

Pearsons  r 

Sig  (1-tail) 

Physical  Foreign 

0.096* 

0.030 

Physical  Flomeland 

0.118* 

0.013 

Cyber  Foreign 

0.100* 

0.030 

Cyber  Flomeland 

0.109* 

0.020 

Table  3-7.  Correlations  between  Skill  Factor  and 
Attack  Severity. 


CONCLUSION 

Hopefully,  this  discussion  has  addressed  several 
objectives.  First,  it  has  given  the  reader  a  basic  funda¬ 
mental  understanding  of  motivations  associated  with 
actors  who  perpetrate  malicious  online  behaviors  — 
knowing  your  enemy  can  be  a  key  element  in  gaining 
a  comprehensive  perspective  on  attacks  against  online 
targets.  A  second  objective  of  the  study  is  to  identify 
specific  instances  of  the  civilian  cyber  warrior  as  a  po¬ 
tentially  more  serious  threat  to  critical  infrastructure. 
Finally,  some  simple  and  initial  analyses  on  prelimi¬ 
nary  data  from  a  recent  study  have  provided  some 
empirical  data  that  can  be  useful  in  guiding  further 
investigation.20 

Future  analyses  involving  multivariate  analyses 
of  the  civilian  cyber  warrior  used  in  this  chapter  are 
already  underway,  and  very  preliminary  results  sug¬ 
gest  that  some  of  the  independent  predictor  variables 
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have  statistically  significant  relationships  to  attack 
severity.  Hopefully,  this  research  will  encourage  oth¬ 
ers  to  pursue  similar  areas  of  investigation  with  the 
objective  of  better  predicting  the  level  of  threat  that 
the  nation's  critical  infrastructure  faces. 
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CHAPTER  4 


CHANGING  THE  GAME: 

SOCIAL  AND  JUSTICE  MODELS 
FOR  ENHANCED  CYBER  SECURITY 

Michael  M.  Losavio 
J.  Eagle  Shutt 
Deborah  Wilson  Keeling 

Thanks  to  the  City  College  of  New  York,  Grove 
School  of  Engineering,  the  Strategic  Studies  Insti¬ 
tute  of  the  U.S.  Army  War  College  and  the  2009  Cy¬ 
ber  Infrastructure  Protection  Conference,  and  Oak 
Ridge  National  Laboratory  and  its  Cyberspace  Sci¬ 
ences  and  Information  Intelligence  Research  (CSIIR) 
Group  and  CSIIR  Workshop  2010  for  helping  develop 
these  themes. 

INTRODUCTION 

To  change  the  game  in  cyber  security,  we  should 
consider  criminal  justice  and  social  education  models 
to  secure  the  highly  distributed  elements  of  the  infor¬ 
mation  network,  extend  the  effective  administration 
of  justice  to  cybercrime,  and  embed  security  aware¬ 
ness  and  competence  in  engineering  and  common 
computer  practice.  This  chapter  examines  models  of 
such  behavior. 

A  broad  approach  is  needed,  since  no  single  group 
of  agencies  can  combat  cybercrime  alone.1  The  ap¬ 
proach  to  cyber  security  and  cybercrime  must  change 
and  expand.  Traditional  models  for  combating  inter¬ 
nal  and  transnational  threats  can  assist  with  cyber  se¬ 
curity,  even  as  information  networks  have  expanded 
the  risks  to  information  security. 
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Physical  security  itself  is  insufficient,  when  an 
inmate  in  a  correctional  facility  can  crack  the  network 
from  within  the  jail.2  Information  control  via  ever- 
smaller  handheld  devices  is  increasingly  difficult. 
For  example,  almost  53  percent  of  inmates  in  one 
state's  correctional  facilities  misused  electronics.3 
See  Figure  4-1. 


■  Misuse  in 
Facility 


Source:  Proceedings  of  IEEE  Workshop  on  Systematic 
Approaches  to  Digital  Forensics  Engineering,  2010. 

Figure  4-1.  Percentage  of  Respondents  Who 
Experienced  Computer  Misuse  in  Their 
Correctional  Facilities. 

Although  the  nation's  homes  may  be  castles,  pro¬ 
tected  as  no  other  space  in  American  civil  society  is, 
that  may  not  be  true  in  regard  to  cyber  security.  As  the 
2003  National  Strategy  to  Secure  Cyberspace  observed, 
these  houses  may  offer  targets  of  choice  as  sources 
of  gain  and  tools  for  attack.4  The  Internet  puts  the 
criminals  and  terrorists  worldwide  at  our  electronic 
doorstep,  magnifying  the  risks  and  problems  in  ad¬ 
dressing  these  information  security  problems.  Cyber 
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security  must  address  how  to  achieve  security  in  such 
a  disparate,  target-rich  environment  as  that  of  world¬ 
wide  computing. 

The  National  Cyber  Leap  Year  Co-Chairs  Report  ad¬ 
dressed  the  need  for  "game  changing"  approaches.5 
One  novel  approach  used  "Cyber  Economics"  for 
developing  a  market-type  engagement  in  cyber  se¬ 
curity  issues.  This  approach  proposed  four  economic 
strategies  for  examination  via  research  and  policy 
implementation  for  "game-changing"  solutions  in 
cyber  security: 

1.  Mitigating  Incomplete  Information:  Mitigate 
incomplete  and  asymmetric  information  barriers  that 
hamper  efficient  security  decisionmaking  at  the  indi¬ 
vidual  and  organizational  levels. 

2.  Incentives  and  Liabilities:  Leverage  incentives 
and  impose  or  redistribute  liabilities  to  promote 
secure  behavior  and  decisionmaking  among 
stakeholders. 

3.  Reduction  of  Attackers'  Profitability:  Promote 
legal,  technical,  and  social  changes  that  reduce  attack¬ 
ers'  revenues  or  increase  their  costs,  thus  lowering  the 
overall  profitability  (and  attractiveness)  of  cybercrime. 

4.  Market  Enforceability:  Ensure  that  proposed 
changes  are  enforceable  with  market  mechanisms.6 

Incentives  and  new  liabilities  would  include  ex¬ 
panded  vendor,  Internet  service  provider  (ISP),  regis¬ 
trar  and  registry  accountability,  liability,  and  rewards 
for  protective  conduct,  or  the  lack  thereof  (emphasis 
added).  The  report  further  notes  that  cyber  security 
metrics  are  "poorly  investigated,"  in  that  there  is  no 
accepted  foundation  for:  (1)  the  information  to  collect; 
(2)  the  use  of  such  information;  and,  (3)  the  weight  of 
such  information  as  to  elements  of  uncertainty,  inac¬ 
curacy,  and  error  in  its  collection.7 
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Similarly,  there  are  challenges  to  the  orthodoxy  of 
security  engineering  education  that  contend  certain 
"myths"  about  security,  such  as  the  sufficiency  of 
purely  technical  solutions  and  defense-in-depth  strat¬ 
egies.  These  myths  impede  the  creation  of  effective 
cyber  security  systems.8 

CRIMINAL  JUSTICE  MODELS 

The  Application  of  Criminal  Justice  Models 
to  Cyber  Security. 

In  2000,  the  Strategic  Studies  Institute  (SSI)  of  the 
U.S.  Army  War  College  (USAWC)  published  a  discus¬ 
sion  on  how  criminal  justice  models  might  integrate 
into  cyber  security  systems.9  The  techniques  and  re¬ 
sources  of  state  and  local  law  enforcement  and  crimi¬ 
nal  justice  entities  could  fit  within  national  response. 
This  seems  appropriate,  as  communication  networks 
have  blurred  national  boundaries.  The  discussion  also 
addresses  the  risks  such  an  enmeshed  world  would 
create  to  civil  society  and  its  liberties,  in  which  re¬ 
sponses  to  attack  risk  "profound  constitutional  and 
security  challenges"  for  the  United  States.10 

Safety  and  security  require  more  than  technical 
protections  and  police  response.  They  need  a  critical 
blend  of  those  elements  with  individual  practice  and 
social  norms.  Social  norms  matched  with  formal  insti¬ 
tutions  enhance  public  safety;  this  also  holds  true  in 
the  cyber  realm. 

Informal  and  formal  modes  of  controlling  and 
limiting  deviant  behavior  are  essential  for  effective 
security.11  Laws,  procedures,  and  criminal  justice 
agencies  are  all  modes  of  formal  social  control.  At¬ 
titudes,  values,  and  actions  of  individuals  represent 
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potentially  powerful  informal  modes.  A  community 
with  a  high  degree  of  both  modes  will  have  a  strong 
overall  level  of  social  control.  These  efforts  must  be 
incentivized  and  empowered  at  all  levels.  Where  there 
is  consonance  in  these  two  modes,  there  will  be  the 
greatest  security. 

Examples:  Routine  Activity  Theory/Opportunity  Theory 
and  Displacement  Theory. 

This  study  suggests  that  the  routine  activity  the¬ 
ory/opportunity  theory  and  displacement  theory  — 
frameworks  for  analyzing  crime  in  communities  —  are 
ways  to  conceptualize  and  pattern  the  benefits  of  in¬ 
formal  social  control  on  cyber  security.12 

Routine  activities  theory  (RAT)  posits  that  each  of 
three  elements  contributes  to  a  heightened  or  lessened 
risk:  a  suitable  target,  a  lack  of  guardianship,  and  a 
motivated  offender.13  The  absence  of  one  of  these  ele¬ 
ments  reduces  the  risk  of  misconduct,  whereas  their 
convergence  increases  it.  For  cyber  security,  the  analy¬ 
sis  should  equally  consider  the  availability  of  suitable 
targets,  a  presence  or  lack  of  suitable  guardians,  and 
an  increase  or  decrease  in  the  number  of  motivated 
offenders,  particularly  those  seeking  financial  gain  or 
state  advantages. 

Changes  in  attitudes  among  those  who  use  these 
cyber  systems  can  increase  suitable  guardians  and 
reduce  suitable  targets,  thereby  changing  the  risk 
equation.  This  is  a  vital  part  of  informal  social  control 
that  must  develop  with  and  without  technical  supple¬ 
ments.  There  is  no  technical  "patch"  for  ignorance.14 

The  overall  power  of  social  control  is  a  function  of 
both  formal  and  informal  controls.15  Laws,  public  poli¬ 
cies,  and  law  enforcement  exemplify  elements  of  for- 
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mal  social  control,  whereas  community  attitudes  and 
norms  exemplify  informal  control.  While  both  spheres 
can  impede  crime,  states  with  the  greatest  levels  of 
control  will  have  high  degrees  of  both  formal  and  in¬ 
formal  social  control. 

In  cyber  security  contexts,  high  levels  of  informal 
social  control  are  essential  to  deter  cyber  attacks,  par¬ 
ticularly  since  attackers  exploit  the  anonymity  and 
distance-collapsing  features  of  cyberspace  as  vectors 
for  attack.  For  example,  open  source  software  prac¬ 
tices  have  led  to  questions  regarding  cyber  security. 
Yet,  this  software  represents  a  collaborative  social  net¬ 
work  that  self-organizes  and  grows  as  a  preferentially 
attached  network.16  Such  preferential  attachment  to 
cyber  security  can  promote  a  distributed  security  re¬ 
gime  through  commitments  to  competent  and  suit¬ 
able  guardianship  of  the  nodes  and  network  around 
the  subject  code  project. 

Online  social  networks  suggest  opportunities  for 
the  examination  of  RAT-based  security  promotion. 
Facebook,  MySpace,  and  Livejournal  are  all  online  so¬ 
cial  networks  that  promote  cyber  security  both  within 
and  outside  their  domains.  The  observation,  report¬ 
ing,  and  notice/  alert  possibilities  of  network  members 
who  are  competent  and  committed  to  security  and 
protection  can  expand  the  guardianship  network  for 
anomalous  behavior;  they  may  also  serve  to  reduce 
target  vulnerability  directly. 

The  information  social  network  for  the  open  source 
encyclopedia,  Wikipedia,  is  another  example  of  a  com¬ 
munity  of  guardians  that  has  been  successful  in  secur¬ 
ing  the  information  it  presents.  It  may  also  serve  as  an 
example  of  risks  due  to  its  uncertainty  of  information 
assurance  in  topic  areas  lacking  extensive  guardian 
participation.  The  possibilities  of  such  social  networks 
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for  enhancing  cyber  security  are  significant,  if  real¬ 
ized.  Alan  Mislove,  Massimiliano  Marcon,  Krishna 
Gummadi,  Peter  Druschel,  and  Bobby  Bhattacharjee 
found  that  online  social  networks  have  small-world 
and  scale-free  properties  based  on  power-law;  these 
would  indicate  potential  for  the  expansion  of  a  guard¬ 
ian  security  regime.17  Others  contend  that  though 
some  aspects  of  RAT  can  apply  to  criminal  activity  in¬ 
volving  computing  systems,  there  are  key  differences 
that  limit  the  utility  of  the  model.18  The  collapse  of  the 
social  network  may  degrade  the  security  of  informa¬ 
tion.19  There  must  be  vigilance  in  seemingly  normal 
activity  used  to  mask  an  attack.20 

Consider  M.  Felson  and  R.  V.  Clarke's  10  principles 
of  crime  opportunity  theory:21 


1.  Opportunities  play  a  role  in  causing  all  crime. 

2.  Crime  opportunities  are  highly  specific. 

3.  Crime  opportunities  are  concentrated  in  time  and  space. 

4.  Crime  opportunities  depend  on  everyday  movements  of  activity. 

5.  One  crime  produces  opportunities  for  another. 

6.  Some  products  offer  more  tempting  crime  opportunities. 

7.  Social  and  technological  changes  produce  new  crime  opportunities. 

8.  Crime  can  be  prevented  by  reducing  opportunities. 

9.  Reducing  opportunities  does  not  usually  displace  crime. 

10.  Focused  opportunity  reduction  can  produce  wider  declines  in 
crime. 


Figure  4-2.  Ten  Principles  of  Opportunity 
and  Crime. 

These  principles  may  be  mapped  to  a  variety  of 
technical  and  nontechnical  factors  that  enhance  or  di¬ 
minish  cyber  security.  Identifying  opportunities  and 
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mitigating  them  are  a  major  focus  of  information  se¬ 
curity  research  in  finding  technical  vulnerabilities  of 
systems.  These  vulnerabilities  are  specific  and  limited 
to  the  user  space  of  a  specific  system,  particularly 
those  of  typical  system  use.  Once  an  exploit  is  found 
and  used,  its  use  will  be  replicated  in  other  situations. 
Mitigation  of  these  exploits  may  be  both  technical  and 
nontechnical. 

Certainly  the  expansion  of  social  conduct  into  the 
online  world  has  produced  new  crime  opportunities 
within  technology.  As  in  other  situations  of  expand¬ 
ing  crime  and  social  deviancy,  the  application  to  re¬ 
duce  these  opportunities  can  have  a  beneficial  effect 
in  reducing  cybercrime.  Technical  solutions  certainly 
help,  just  as  strong  doors  and  locks  help,  but  other  fac¬ 
tors,  such  as  personal  vigilance  for  self  and  neighbors 
and  assured  punitive  response,  can  help  as  much  or 
even  more.  These  measures  accord  with  the  solution 
features  suggested  in  the  National  Cyber  Leap  Year 
Co-chairs  Report.22 

Another  application  of  criminological  principles 
to  cyber  security  relates  to  the  use  of  criminal  pro¬ 
filing  and  behavioral  analysis.23  The  reactive  use  of 
these  techniques,  much  like  the  use  of  technical  digi¬ 
tal  forensics  in  network  settings,  serves  to  focus  an 
investigation  and  response  in  particular  areas  and  on 
particular  individuals.  This,  in  some  cases,  may  be  as 
limited  as  the  method  of  operation  ( modus  operandi,  or 
"MO")  of  a  particular  miscreant.  But  the  reactive  use 
goes  beyond  this  to  distinctive  behaviors  of  individu¬ 
als  that  are  a  priori  and  may  lead  to  the  use  of  particu¬ 
lar  operational  methods  or  tools. 

Proactive  use  of  profiling  deters,  or  prevents, 
crimes  such  as  drug  courier  profiling.  Frank  Greitzer, 
Deborah  Frincke,  and  Mariah  Zabrieski  discuss  this  in 
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relation  to  the  application  of  traditional  security  tech¬ 
niques  to  the  identification  of  insider  cyber  security 
threats.24  The  set  of  circumstances  that  have  been  as¬ 
sociated  with  motives  or  disinhibitions  leading  to  in¬ 
sider  criminal  activity,  such  as  fraud  or  violence,  may 
also  match  with  insider  cyber  security  breaches.  The 
researchers  note  that,  "Assessing  ability,  opportunity, 
and  motivation  is  a  primary  decisionmaking  task  un¬ 
derlying  the  threat  analysis."25  These  factors  may  then 
map  to  information  and  network  metrics  as  part  of  an 
enhanced  alert  for  potential  or  actual  threats  to  infor¬ 
mation  security. 

J.  L.  Kr  of  check  and  M.  G.  Gelles,26  note  these  non¬ 
technical  life  factors  and  characteristics  as  risk  indica¬ 
tors  for  insider  cyber  security  threats: 

•  Non-U. S.  citizen, 

•  Major  life  change, 

•  Access  to  classified  information, 

•  System  administrator  rights, 

•  High  level  of  computer  skills  and 
knowledge, 

•  Intermittent  work  history, 

•  Family/ marriage  issues, 

•  Legal  issues, 

•  Credit/  debt  problems, 

•  Past  or  current  arrest/  criminal  activity,  and 

•  Strong  interest  in  Blackhat  community. 

In  turn,  these  indicators  also  present  ethical  and 
administrative  issues  with  this  security  analysis,  cre¬ 
ating  possible  problems  due  to  the  possible  invasion 
of  privacy,  and  false  suspicions  that  undermine  both 
the  reputations  and  morale  of  staff. 

But  there  is  the  risk  of  creating  hyper-romantic 
myths  of  profiling  effectiveness.  No  profile  alone  has 
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led  to  an  arrest;  rather,  it  is  a  directive  tool  of  investi¬ 
gation  that  may  be  most  effective  when  pychopatholo- 
gies  are  present.27 

SOCIAL  AND  EDUCATION  MODELS 

Cyber  Security  Awareness  through  Teaching 
Community  Engagement. 

Opportunities  for  invasion  are  reduced  when  a 
system  user  recognizes  the  risks  and  personally  miti¬ 
gates  them.  This  could  be  as  simple  as  not  opening  an 
email  attachment  from  an  unknown  correspondent  or 
permitting  an  unknown  program  permission  to  run. 
Such  security  could  be  achieved  through  the  engage¬ 
ment  of  computer  engineering  students  to  broaden 
their  understanding  of  their  responsibilities  to  both 
the  profession  and  to  the  public. 

As  with  community  safety  relating  to  violent  crime, 
cyber  security  requires  effort  and  engagement,  includ¬ 
ing  general  computing  competence.  But,  there  is  little 
formal  training  in  this  area  for  the  general  public  who 
are  the  most  at  risk.  A  model  for  such  an  engagement 
that  would  provide  this  training  and  awareness  ap¬ 
pears  below. 

The  National  Science  Foundation-funded  effort 
produced  the  Information  Assurance  and  Security  Eth¬ 
ics  in  Complex  Systems:  Interdisciplinary  Perspectives, 
to  demonstrate  the  value  of  an  interdisciplinary  ap¬ 
proach  to  cyber  security  development.  This  approach 
compiles  many  different  and  highly  novel  perspec¬ 
tives  on  information  security  and  assurance,  and  en¬ 
compasses  a  broader  review  of  the  consequences  of 
failure  than  is  traditionally  addressed. 
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This  collection  begins  with  the  challenge  of  how 
people  view  any  problem  and  the  natural  tendency 
toward  self-reference  in  framing  issues.  This  may  be 
quickly  placed  in  the  cyber  security  space,  with  com¬ 
puter  engineering  students  directed  to  identify  threats 
and  responses.  Through  use  of  chapters  dealing  with 
"Social/ Ethical  Issues  in  Predictive  Insider  Threat 
Monitoring,"  "Peer-to-Peer  Networks:  Interdisciplin¬ 
ary  Challenges  for  Interconnected  Systems,"  and 
"Responsibility  for  the  Harm  and  Risk  of  Software 
Security  Flaws,"  students  may  then  understand  the 
greater  complexity  they  face  in  security  solutions  as 
well  as  the  legal  and  ethical  consequences  of  failure 
in  cyber  security.  Through  their  novelty,  these  per¬ 
spectives  push  students  to  uncomfortable  discussions 
that,  in  turn,  may  lead  to  better  understanding  of  the 
challenges  faced  in  order  to  achieve  effective  cyber  se¬ 
curity.  These  difficult  discussions  need  to  take  place 
if  there  is  to  be  effective  security  for  our  information 
and  people. 

Extending  this  information  beyond  the  classroom 
becomes  the  next  challenge. 

An  Information  Security  Model. 

One  model  for  expanding  the  discussion  into  real- 
life  application  implements  the  use  of  computer  en¬ 
gineering  students  to  handle  community  projects  re¬ 
lating  to  cyber  security.  The  Department  of  Computer 
Engineering  and  Computer  Science  at  the  University 
of  Louisville  introduced  a  community  engagement/ 
community-based  learning/  service  learning  compo¬ 
nent  to  its  500-level  course  on  information  security 
in  the  summer  of  2009.  This  course,  in  addition  to  ex¬ 
amining  engineering,  technical,  and  scientific  founda- 
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tions  of  data  security,  addressed  issues  relating  to  the 
administrative  and  practical  implementation  of  secure 
computing  practices.  The  community  engagement/ 
service  learning  component  required  the  students  to 
examine  user  responsibilities  and  their  computer  re¬ 
lated  needs.  The  students  also  implement  a  program 
to  teach  non-expert  computer  users  safe  and  secure 
computing  practices.  This,  in  turn,  allowed  them  to 
examine  the  foundations  essential  to  information  se¬ 
curity  and  how  to  teach  and  communicate  with  oth¬ 
ers.  The  University  of  Louisville  Engineering  School 
has  an  extensive  cooperative  education  program  re¬ 
quiring  students  to  work  in  industry.  This  community 
engagement/  service  learning  component,  however, 
requires  the  students  to  examine  the  interaction  of 
computing  systems  with  typical,  non-expert  users. 

Service  learning  and  community  engagement  com¬ 
ponents  in  2009-10  courses  on  Information  Security 
were  directed  at  "authentic"  issues  of  secure  broad 
community  deployment,  the  use  of  broadband  servic¬ 
es,  the  security  of  existing  personal  and  small  business 
systems,  and  user  training.28  In  addition  to  laboratory 
and  design  work,  students  created  and  implemented 
a  detailed,  low-level  training  program  to  community 
groups  on  user  risk,  conduct,  and  responsibilities  re¬ 
lated  to  online  security.  Training  was  administered 
in  single  presentations  to  various  age  groups  ranging 
from  elderly  and  retired  individuals  to  elementary 
school  students,  with  a  focus  on  low-income  com¬ 
munities.  The  following  year,  this  program  evolved 
into  small  group /  one-on-one  sessions  with  the 
targeted  users. 
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Data  Analysis  and  Outcomes  for  Students. 


An  assessment  of  student  learning  outcomes  re¬ 
vealed  that  through  the  service  learning/  commu¬ 
nity  engagement  component,  students  had  enhanced 
learning  related  to  issues  of  information  security.29  Of 
the  respondents,  66  percent  agreed  that  the  engage¬ 
ment  component,  "...  helped  me  either  connect  what  I 
learned  to  real-life  situations  or  contributed  to  knowl¬ 
edge  in  the  discipline."  Three-fourths  agreed  that  it, 
".  .  .  provided  me  an  opportunity  to  apply  skills  and 
knowledge  I  have  gained  from  my  major  courses."  The 
2009  community  presentation  on  information  security 
scored  well  when  compared  with  other  components 
in  connecting  learning  to  real-life  problems,  as  shown 
in  Figure  4-3. 
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Figure  4-3.  Effectiveness  in  Connecting  Learning 
to  Real-Life  Problems. 
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The  program  allowed  students  to  address  authen¬ 
tic  issues  in  the  discipline  of  Information  Security,  as 
detailed  in  Figure  4-4,  with  nearly  three  times  as  many 
students  finding  the  community  engagement  compo¬ 
nent  connected  them  to  an  authentic  experience  with¬ 
in  their  discipline  as  compared  with  the  system  design 
or  laboratory  components. 
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Figure  4-4.  Application  of  Skills  and  Knowledge 
from  Major  Courses. 

This  indicates  value  in  such  teaching  and  learning 
components  for  the  students  themselves. 

The  benefit  and  improvement  in  cyber  security  by 
those  in  the  community  receiving  the  training  was 
studied  in  2010  via  surveys  of  the  several  site  super¬ 
visors.  Those  surveys  similarly  indicated  positive  ex¬ 
periences  with  the  training.  The  respondents  agreed 
that  the  presentations  covered  new  information  on 
security  for  their  target  groups  and  improved  the  safe 
practices  of  those  using  computers. 
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The  response  from  the  site  supervisor  for  the  se¬ 
nior  citizens  residential  facility  provided  anecdotal 
comments  that  indicated  additional  concerns  about 
both  a  desire  to  access  online  services  and  a  need 
for  fundamental  skills.  These  comments,  from  indi¬ 
viduals  ranging  from  67  years  of  age  to  88  years  of 
age,  noted: 

•  I  want  to  get  online  when  I  learn  the  basics  of 
how  to  use  a  computer.  Seniors  are  unable  to 
help  other  seniors.  They  do  not  have  the  pa¬ 
tience  or  skills  to  explain  things  to  other  seniors. 
Every  time  you  turn  around,  you  need  to  have 
a  computer.  You  can't  enter  a  contest  or  shop 
online.  If  you  want  to  learn  more  about  a  par¬ 
ticular  news  story,  they  tell  you  to  go  online. 
Many  free  discount  coupons  are  only  available 
online. 

•  All  my  family  has  computers,  and  they  talk 
back  and  forth  to  each  other.  I  would  love  to  be 
with  them. 

•  Keyboard  would  be  difficult,  but  I  would  love 
to  do  family  history  research. 

•  The  students  made  my  computer  faster,  much 
faster.  We  did  not  get  into  a  discussion  about 
security  (the  main  concern  was  about  medical 
information). 

•  I  never  order  anything  on  the  computer.  I  have 
heard  too  many  stories  of  persons  losing  every¬ 
thing  by  giving  out  credit  information. 

•  Students  helped  with  setting  up  my  games.  I 
still  have  pop  ups  and  must  restart  the  games. 

These  responses  demonstrate  both  the  need  and 
desire  for  skills  in  secure,  competent  computing.  The 
program  offers  a  way  to  distribute  security  awareness 
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and  skills  that  meet  the  requirements  of  criminal  jus¬ 
tice  theory  and  provide  learning  objectives  within  the 
discipline  of  computer  engineering. 

The  National  Collegiate  Cyber  Defense 
Competition. 

The  National  Collegiate  Cyber  Defense  Competi¬ 
tion  brings  together  students  from  universities  who 
compete  regionally  and  then  nationally  to  protect 
computer  systems  from  cyber  attacks.  Lieutenant 
General  Harry  Raduege,  Jr.  (USAF,  Ret.),  chairman 
of  the  Deloitte  Center  for  Cyber  Innovation  and  co- 
chairman  of  the  Commission  on  Cyber  Security  for  the 
44th  presidency,  has  noted,  "These  exercises  are  vital 
training  for  people  who  will  be  safeguarding  the  na¬ 
tion's  systems  and  infrastructure."30 

To  prepare  for  the  computer  attacks  of  the  future, 
the  competing  students  must  successfully  defend 
their  computer  network  against  hostile  attacks  while 
maintaining  operations  in  regional  and  national  com¬ 
petition.  Attacks  against  their  systems  are  conducted 
by  penetration  testers  from  the  industry. 

This  is  an  intensive  laboratory  experience  for  the 
next  generation  of  cyber  defenders.  It  is  another  ex¬ 
ample  of  a  social/education  model  for  developing 
cyber  security  skills  across  the  operational  spectrum 
in  an  environment  close  to  the  real  world,  with  all  the 
complexities,  ambiguities,  and  stresses  it  entails.31 

FUTURE  DIRECTIONS 

Areas  of  study  and  testing  in  expanding  cyber 
security  are  recommended.  This  must  move  from 
concept  to  pilot  models  that  one  can  measure  for  ef- 
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fectiveness.  In  the  limited  examples  described  here, 
data  on  the  effectiveness  of  the  training  systems  are 
one  area  that  requires  further  study  to  establish  firmly 
the  benefit  of  this  model.  The  testing  and  data  on  pi¬ 
lot  projects  is  the  next  step  to  enhancing  guardianship 
roles  and  hardening  targets.  For  example,  the  Cyber 
Clean  Center  project  of  the  Japanese  Computer  Emer¬ 
gency  Response  Team  Coordination  Center  is  a  cross- 
disciplinary  collaboration  between  JP-CERT,  Trend 
Micro,  ISPs,  and  various  security  vendors  —  the  goal  of 
which  is  to  create  a  guardian  network  against  botnet 
compromise  and  exploitation. 

Participating  ISPs  operate  decoy  honeypot  ma¬ 
chines  on  their  networks  that  serve  as  sensors  for 
botnet  activity.  They  log  the  Internet  protocol  (IP) 
addresses  of  infected  machines,  from  which  the  ISPs 
notify  the  infected  user  of  the  compromise  and  offer 
a  "  BOT  disinfestation  website"  with  easy,  clear  in¬ 
structions  and  downloadable  tools  to  clean  their  com¬ 
promised  machines.32  The  system  is  dynamic,  with 
analysts  monitoring  sensor  activity  and  creating  "dis¬ 
infestation"  tools  directed  toward  new  threats. 

The  activity  report  data  for  April  2010  show  a 
cumulative  number  of  484,583  (7,561  for  April)  alert 
emails  sent  to  100,696  (3,  751  for  April)  recipients,  with 
a  cumulative  download  rate  of  disinfestation  tools  of 
31.8  percent.33  The  CCC  data  offer  an  opportunity  to 
evaluate  the  effectiveness  of  methods,  such  as  this  one 
in  enhancing  security,  particularly  as  an  application  of 
the  guardian  roles  in  enhancing  cyber  security. 

Melissa  Hathaway,  a  cyber  security  expert  during 
the  George  Bush  and  Barack  Obama  administrations, 
has  suggested  the  online  game  "The  SmokeScreen 
Game"  as  a  novel  way  to  promote  secure  behavior.34 
The  SmokeScreen  Game  is  a  British  project  that  lets 
students  test  life  online  through  social  media  and  their 
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interactions  with  others  in  the  electronic  world.  The 
SmokeScreen  Game  addresses  lies,  malice,  misinfor¬ 
mation,  and  criminal  online  conduct,  allowing  young 
people  to  test  these  parameters  in  a  simulation  before 
being  caught  in  a  potentially  damaging  reality. 

Lastly,  the  2011  service  learning  and  community 
engagement  components  will  continue  to  collect  ad¬ 
ditional  data  on  the  effectiveness  of  this  model.  Com¬ 
puter  engineering  students  in  the  junior-level  course 
on  legal,  ethical,  and  social  issues  in  computing  have 
begun  more  fundamental  work  with  community 
members  on  competent  computing  —  expanding  the 
base  of  skills  and  producing  additional  data  on  basic 
user  needs. 

CONCLUSION 

Cyber  security  is  yet  another  facet  of  security  in 
an  uncertain  world,  an  issue  people  have  sought  to 
address  throughout  human  history.  It  requires  global 
attention,  not  a  belief  that  "police  action"  can  solve  all 
risks.  Cyber  security  can  be  enhanced  through  the  use 
of  criminal  justice  and  social  education  models  to  se¬ 
cure  the  highly  distributed  elements  of  the  information 
network.  It  can  extend  the  effective  administration  of 
justice  to  cybercrime  and  embed  security  awareness 
and  competence  in  the  use  of  pervasive  and  ubiqui¬ 
tous  computing  via  novel  and  creative  ways  to  engage 
people  in  their  own  online  cyber  security. 

Because  this  is  happening  swiftly  in  an  expanding 
world  of  cyber  consumers  that  has  outstripped  our 
traditional  educational  system,  special  efforts  must  be 
made  to  engage  citizens  in  protecting  this  new,  rich 
environment  for  learning,  commerce,  and  society. 
Failure  to  do  so  will  only  expand  the  pool  of  victims, 
potential  and  real. 
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CHAPTER  5 


AN  INSTITUTIONAL  AND  DEVELOPMENTAL 
ANALYSIS 

OF  THE  DATA  BREACH  DISCLOSURE  LAWS 
Melissa  Dark 

This  chapter  is  based  on  an  earlier,  extended  ver¬ 
sion  of  a  chapter  that  appears  in  Melissa  J.  Dark,  ed., 
"Information  Assurance  and  Security  Ethics  in  Com¬ 
plex  Systems:  Interdisplinary  Perspectives,"  Hershey, 
PA:  IGI  Global,  available  from  www.igi-global.com,  posted 
by  permission  of  the  publisher. 

INTRODUCTION 

Although  advances  in  computing  promise  sub¬ 
stantial  benefits  for  individuals  and  society,  trust  in 
computing  and  communications  is  critical  in  order 
to  realize  such  benefits.  The  hope  for  cyber  trust  is  to 
create  a  society  in  which  trust  enables  technologies  to 
support  individual  and  societal  needs  without  violat¬ 
ing  confidences  and  exacerbating  public  risks.  Cyber 
trust,  in  part,  depends  on  software  and  hardware 
technologies  upon  which  people  can  justifiably  rely. 
However,  the  cyber  trust  vision  requires  looking  be¬ 
yond  technical  controls  to  consider  how  other  forms 
of  social  control  contribute  to  a  state  of  cyber  trust. 
As  information  technology  has  become  more  ubiqui¬ 
tous  and  pervasive,  assurance  and  security  concerns 
have  escalated;  in  response,  there  has  been  noticeable 
growth  in  public  policy  as  a  form  of  social  control  to 
bolster  cyber  trust.  One  can  see  such  growth  just  by 
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briefly  inventorying  some  of  the  regulations  enacted 
to  protect  security  and  privacy: 

•  Freedom  of  Information  Act  (1966) 

•  ProFair  Credit  Reporting  Act  (1970) 

•  Bank  Secrecy  Act  (1970) 

•  Privacy  Act  (1974) 

•  Family  Educational  Rights  and  Privacy  Act 
(FERPA)  (1974) 

•  Right  to  Financial  Privacy  Act  (1978) 

•  Foreign  Intelligence  Surveillance  Act  (1978) 

•  Electronic  Communications  Privacy  Act 
(ECPA)  (1986) 

•  Telephone  Consumer  Protection  Act  (1991) 

•  Communications  Assistance  for  Law  En¬ 
forcement  Act  (1994) 

•  Driver's  Privacy  Protection  Act  (1994) 

•  Health  Insurance  Portability  and  Account¬ 
ability  Act  (HIPAA)  (1996) 

•  Computer  Fraud  and  Abuse  Act  (1996) 

•  Children's  Online  Privacy  Protection  Act 
(COPPA)  (1998) 

•  Digital  Millennium  Copyright  Act  (1998) 

•  Gramm-Leach-Bliley  Act  (GLBA)  (1999) 

•  USA  PATRIOT  Act  (2001) 

•  Federal  Information  Security  Management 
Act  (2002) 

•  Fair  and  Accurate  Credit  Transactions  Act 
(2003) 

•  CAN-SPAM  Act  (2003) 

•  46  State  Data  Breach  Disclosure  Laws*  law 
(2003-present). 

*The  U.S.  Virgin  Islands,  Puerto  Rico,  and  the  Dis¬ 
trict  of  Columbia  have  also  enacted  data  breach  dis¬ 
closure  laws. 
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This  is  not  an  exhaustive  list,  but  it  is  representa¬ 
tive  and  exemplifies  the  increasing  growth  in  legis¬ 
lation.  Given  that  information  security  and  privacy 
are  becoming  more  important,  as  evidenced  by  the 
growth  in  public  policy,  policy  analysis  in  this  area  is 
timely  and  relevant. 

Policy  analysis  aims  to  address  questions  such  as 
the  following.  What  do  governments  choose  to  do  or 
not  to  do?  How  effective  are  the  proposed  or  enacted 
solutions  to  public  problems?  How  are  issues  that  af¬ 
fect  large  numbers  of  citizens  introduced  to  the  public 
arena?  What  are  the  historical,  political,  and  institu¬ 
tional  factors  that  shape  the  formulation  of  public  pol¬ 
icy?  In  light  of  the  relationships  among  policies,  which 
of  the  various  alternative  policies  will  be  most  effec¬ 
tive  in  achieving  a  given  set  of  social  goals?  How  can 
policymaking  improve  through  research  and  analysis? 

This  chapter  considers  the  data  breach  disclosure 
laws  recently  enacted  in  most  of  the  United  States. 
There  are  three  important  factors  that  make  the  state 
data  breach  disclosure  laws  of  interest:  the  rapid  poli¬ 
cy  growth;  the  first  concrete  example  of  informational 
regulation  for  information  security;  and  the  impor¬ 
tance  of  these  laws  to  prevent  identity  theft  and  pro¬ 
tect  privacy.  The  chapter  begins  with  a  discussion  of 
the  policy  analysis  framework  used  for  this  analysis. 
Thereafter,  the  chapter  offers  a  retrospective  analysis 
of  the  historical,  political,  and  institutional  factors  that 
gave  rise  to  these  laws,  i.e.,  the  legislative  outcomes 
seen  today.  Finally,  the  chapter  concludes  with  sug¬ 
gestions  for  information  security  and  privacy  policy 
in  the  future. 
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INSTITUTIONAL  ANALYSIS  AND 
DEVELOPMENT  FRAMEWORK 


The  institutional  analysis  and  development  (IAD) 
framework  is  a  tool  for  performing  policy  analysis  that 
focuses  on  how  institutions,  i.e.,  structures  and  mech¬ 
anisms  of  social  order,  govern  behavior.  The  goal  of 
using  this  framework  is  to  organize  one's  inquiry  into 
a  subject,  which  in  this  chapter  are  the  data  breach  dis¬ 
closure  laws.  The  IAD  framework  is  associated  with 
the  social  theory  of  new  institutionalism,  which  grew 
out  of  a  desire  to  study  institutions  from  a  sociological 
perspective.  Whereas  old  institutionalism  studies  for¬ 
mal  institutions  —  such  as  organizations,  norms,  laws, 
and  markets  — new  institutionalism  adds  the  study  of 
how  institutions  operate  in  a  sociological  context.  In 
new  institutionalism,  institutions  are  abstractly  de¬ 
fined  as  "shared  concepts  used  by  humans  in  repetitive 
situations  organized  by  rules,  norms  and  strategies." 
(Ostrom,  1999,  p.  37)  New  institutionalism  considers 
topics  such  as  how  individuals  and  groups  construct 
institutions,  how  institutions  function  in  practice,  how 
institutions  interact  and  affect  each  other,  the  effect 
that  the  sociological  environment  has  on  these  interac¬ 
tions,  and  the  effects  of  institutions  on  society.  In  new 
institutionalism,  institutions  are  both  the  entities  (or¬ 
ganizations,  laws,  and  markets)  themselves,  as  well  as 
things  —  rules,  norms,  and  strategies  — that  shape  the 
patterns  of  interaction  across  these  entities. 

While  rules  and  norms  are  powerful,  they  are 
largely  invisible,  which  makes  identifying  and  mea¬ 
suring  them  difficult  (Ostrom,  1999).  One  can  describe 
them,  but  not  precisely.  This  is  important,  since  read¬ 
ers  of  this  chapter  will  clearly  see  qualitative  descrip¬ 
tions  to  depict  institutions  in  action,  but  not  quantita- 
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tive  measures.  As  a  result,  the  description  of  this  type, 
by  its  nature,  includes  connotation,  which  cannot  be 
avoided;  norms  exist  in  us,  not  apart  from  us.  There¬ 
fore,  this  chapter  is  subject  to  the  author's  bias.  Read¬ 
ers  must  refute  and/ or  improve  upon  this  work.  It  is 
incumbent  on  all  who  are  interested  in  such  research 
to  be  aware  of,  and  guard  against,  personal  biases 
where  they  may  limit  findings. 

The  IAD  framework  appears  in  Figure  5-1.  The 
action  arena  in  the  middle  of  the  figure  includes  the 
action  situations  and  the  actors.  In  describing  the  ac¬ 
tion  situation(s),  the  analyst  attempts  to  identify  the 
relevant  structures,  i.e.,  those  affecting  the  process  of 
interest.  This  can  include  participants;  allowable  ac¬ 
tions,  and  linkages  to  outcomes;  the  level  of  control 
that  participants  have  over  choice;  information  avail¬ 
able  to  participants;  and  costs  and  benefits  assigned  to 
actions  and  outcomes.  The  analyst  also  identifies  the 
pertinent  actors.  Actors  are  individuals  and  groups 
(entities)  who  take  action,  i.e.,  they  behave  in  a  man¬ 
ner  to  which  they  attach  meaning,  either  subjectively 
or  instrumentally.  Moving  to  the  right  in  Figure  5-1, 
the  IAD  model  includes  patterns  of  interaction  and 
outcomes.  Most  social  reality  includes  multiple  action 
arenas  that  interlink;  some  may  say  they  are  entan¬ 
gled.  The  IAD  framework  calls  out  patterns  of  interac¬ 
tion  as  subjects  of  interest  in  their  own  right  as  well 
as  in  relation  to  action  situations  and  actors,  and  to 
outcomes.  Outcomes  are  observed,  inferred,  and/or 
expected  behaviors  or  results. 
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Note:  Adapted  from  P.  Sabatier,  1999. 

Figure  5-1.  Institutional  Analysis  and  Development 

Framework. 

Moving  to  the  left  of  the  framework,  action  are¬ 
nas  can  also  be  dependent  variables.  In  this  way,  the 
analyst  looks  at  how  rules-in-use,  attributes  of  com¬ 
munity,  and  physical/material  conditions  influence 
the  action  arena.  Rules-in-use  are  shared  understand¬ 
ings  about  what  is  expected,  required,  and  allowed  in 
ordering  relationships.  Physical/ material  conditions 
refer  to  the  characteristics  of  the  states  of  the  world 
as  they  shape  action  arenas.  Clearly,  what  is  expected 
or  allowed  may  be  conditioned  by  what  is  physically 
or  materially  possible.  Likewise,  physical  conditions 
might  shape  rules-in-use  and  vice  versa.  Attributes  of 
community  are  nonphysical  conditions  that  provide 
structure  to  the  community.  Attributes  of  community 
may  or  may  not  be  shaped  by  physical  conditions  and 
can  serve  to  influence  rules-in-use  and  the  utilization 
of  physical  conditions.  Moving  right  to  left  in  the  IAD 
model,  one  can  also  study  how  outcomes  influence 
physical  conditions,  attributes  of  community,  and 
rules-in-use.  Consistent  with  the  new  institutional 
paradigm,  the  IAD  model  assumes  that  social  systems 
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are  continually  constituted  and  reconstituted;  in  this 
way,  both  the  systems  and  the  models  to  analyze  them 
are  organic  in  their  worldview. 

The  IAD  model  does  not  prescribe  how  analysis  is 
performed.  The  arrows  do  not  mean  to  suggest  that 
the  analyst  needs  to  work  through  the  model  in  full, 
or  from  left  to  right.  For  example,  an  analyst  can  work 
from  1)  the  action  arena  to  2)  outcomes  in  an  effort 
to  discern  or  predict  patterns  of  interaction.  Another 
alternative  would  be  to  work  from  1)  observed  out¬ 
comes  to  2)  effects  thereof  on  rules-in-use  or  attributes 
of  community.  Or  the  analyst  can  work  across  levels, 
e.g.,  investigating  how  collective  choice  rules-in-use 
such  as  excludability  and  the  free-rider  problem  influ¬ 
ence  what  type  of  operational  policy  can  be  enacted. 
This  ability  to  study  multiple  aspects  of  an  institution 
simultaneously  is  the  power  of  this  model.  The  IAD 
model  is  especially  useful  for  analyzing  self-governing 
entities;  self-governing  entities  are  comprised  of  indi¬ 
viduals  who  create  and  influence  the  rules  that  struc¬ 
ture  their  lives.  In  other  words,  the  members  (or  their 
representatives)  of  a  self-governing  entity  participate 
in  the  development  of  the  collective-choice  and  consti¬ 
tutional  rules-in-use.  Self-governing  entities  are  com¬ 
plex,  adaptive  systems  in  that  they  consist  of  a  large 
number  of  elements  interacting  in  multiple  ways;  the 
interactions  change  the  system,  which  shapes  future 
interactions  such  that  outcomes  are  hard  to  predict, 
and  thus,  considered  emergent.  Self-governing  enti¬ 
ties  are  polycentric,  in  which  citizens  organize  mul¬ 
tiple  governing  authorities  and  private  arrangements 
at  different  scales.  A  constitutional  government  is  a 
self-governing  entity;  in  an  interesting  contrast,  the 
Internet  is  also  a  self-governing  socio-technical  entity. 
Public  policy  in  information  assurance  and  security  is 
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about  how  a  polycentric  system  governs  a  polycentric 
system,  making  the  IAD  framework  a  useful  analytic 
tool  for  this  paper. 

Retrospective  Analysis. 

The  retrospective  analysis  examines  rules-in-use, 
attributes  of  community,  and  the  physical  and  ma¬ 
terial  conditions  that  served  to  shape  the  policy  ac¬ 
tions  we  have  seen  to  date  in  information  security 
and  privacy.  Given  that  the  data  breach  disclosure 
laws  aim  to  ameliorate  identity  theft  and  privacy  con¬ 
cerns,  we  start  with  an  overview  of  other  legislation  in 
these  areas. 

Policy  Actions  to  Date. 

The  first  U.S.  law  that  specifically  addressed  iden¬ 
tity  theft  was  passed  in  1998  — the  Identity  Theft  and 
Assumption  Deterrence  Act,  passed  in  response  to  the 
dramatic  rise  in  identity  (ID)  theft  in  the  1990s.  Prior 
to  this  act,  ID  theft  was  not  regulated  per  se.  With  re¬ 
gard  to  privacy,  there  is  no  provision  for  privacy  in 
the  U.S.  Constitution.  There  is  no  independent  privacy 
oversight  agency  in  the  United  States,  and  the  United 
States  has  no  comprehensive  privacy  law.  Instead,  the 
United  States  has  taken  a  sectorial  approach  to  privacy 
regulation  so  that  records  held  by  third  parties  —  such 
as  financial  and  personal  records  at  banks,  educational 
and  personal  records  at  universities,  membership  and 
personal  information  at  associations,  and  medical  and 
personal  records  at  community  hospitals  —  are  gener¬ 
ally  not  protected  unless  a  legislature  has  enacted  a 
specific  law.  As  a  result,  we  have  a  patchwork  of  laws 
enacted  to  address  privacy  and  data  security.  These 
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are  outlined  next,  starting  with  the  laws  that  pertain  to 
the  federal  government,  followed  by  laws  that  pertain 
to  the  private  sector,  and  finally,  state  laws. 

Federal  Laws. 

The  Federal  Trade  Commission  (FTC)  Act  was  es¬ 
tablished  by  the  Federal  Trade  Commission  in  1914 
for  the  purposes  of  promoting  consumer  protection 
and  eliminating  and  preventing  anticompetitive  busi¬ 
ness  practices.  Jurisdiction  of  the  FTC  Act  extends  to  a 
variety  of  entities.  Section  5  of  the  FTC  Act  forbids  un¬ 
fair  or  deceptive  practices  in  commerce,  where  unfair 
practices  are  defined  as  those  that  cause  or  will  likely 
cause  substantial  injury  to  consumers.  Section  5  of  the 
Federal  Trade  Commission  Act  has  been  used  with 
regard  to  privacy  and  security,  when  companies  have 
been  accused  of  deceptive  claims  regarding  use  of  per¬ 
sonal  information  (e.g.,  Choicepoint).  In  2003,  the  FTC 
Act  was  amended  to  include  a  provision  regarding  the 
privacy  of  consumers'  credit  data  (the  Fair  and  Accu¬ 
rate  Transactions  Act  of  2003  - 15  U.S.C.  1681-1681x). 

The  Privacy  Act  of  1974  (5  U.S.C.  552a)  governs 
the  federal  government's  information  privacy  pro¬ 
gram.  The  intent  of  the  Privacy  Act  is  to  balance  the 
government's  need  to  maintain  information  about  in¬ 
dividuals  and  the  privacy  rights  of  individuals.  The 
Privacy  Act  protects  individuals  against  unwarranted 
invasions  of  privacy  stemming  from  federal  agencies' 
collection,  maintenance,  use,  and  disclosure  of  per¬ 
sonal  information  (U.S.  Department  of  Justice,  2008). 
The  U.S.  Congress  passed  the  act  in  response  to  rev¬ 
elations  of  privacy  abuse  during  President  Richard 
Nixon's  administration.  A  second  goal  of  the  Privacy 
Act  is  to  address  potential  abuses  stemming  from  the 
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government's  increasing  use  of  computers  to  store 
and  retrieve  personal  data.  The  Privacy  Act  focuses 
on  four  basic  policy  objectives: 

1.  To  restrict  the  disclosure  of  personally  identifi¬ 
able  records  maintained  by  federal  agencies. 

2.  To  grant  individuals  increased  rights  of  access 
to  federal  agency  records  that  pertain  to  themselves. 

3.  To  grant  individuals  the  right  to  seek  amend¬ 
ment  of  federal  agency  records  maintained  on  them¬ 
selves,  given  evidence  that  the  records  are  inaccurate, 
irrelevant,  untimely,  or  incomplete. 

4.  To  establish  a  code  of  "fair  information  prac¬ 
tices"  that  requires  federal  agencies  to  comply  with 
statutory  norms  regarding  collection,  maintenance, 
and  dissemination  of  records. 

The  Privacy  Act  specifies  that  agencies  will  not 
disclose  any  record  contained  in  a  system  of  records 
by  any  means  of  communication  to  any  person  or  to 
another  agency  without  the  prior  written  consent  of 
the  individual  to  whom  the  record  pertains  —  barring 
exceptions  such  as  law  enforcement.  The  Privacy  Act 
also  mandates  that  each  federal  agency  have  in  place 
an  administrative  and  physical  security  system  to  pre¬ 
vent  unauthorized  release  of  personal  records.  While 
the  Privacy  Act  also  applies  to  records  created  by 
government  contractors,  it  does  not  apply  to  private 
databases. 

The  Federal  Information  Security  Management  Act 
(44  U.S.C.  3544)  (FISMA),  enacted  in  2002,  is  the  prin¬ 
cipal  law  governing  the  information  security  program 
for  the  federal  government.  FISMA  calls  for  agencies 
to  develop,  document,  and  implement  agency-wide 
information  security  programs.  This  includes  infor¬ 
mation  systems  used  or  operated  by  an  agency  or  by 
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a  contractor  of  an  agency.  A  goal  of  FISMA  is  to  see 
that  information  security  protections  are  commensu¬ 
rate  with  the  risk  and  magnitude  of  harm  resulting 
from  unauthorized  access,  use,  disclosure,  disrup¬ 
tion,  modification,  or  destruction  of  information  col¬ 
lected  or  maintained  by  or  on  behalf  of  the  agency. 
FISMA  requires  procedures  for  detecting,  reporting, 
and  responding  to  security  incidents.  Notification  of 
security  incidents  must  be  provided  to  a  federal  in¬ 
formation  security  incident  center,  law  enforcement, 
and  relevant  Offices  of  the  Inspector  General.  The  Of¬ 
fice  of  Management  and  Budget  Breach  Notification 
Policy,  issued  in  2007,  reemphasizes  agencies'  obliga¬ 
tions  under  the  Privacy  Act  and  FISMA  by  outlining 
two  new  privacy  requirements  and  five  new  security 
requirements,  which  include  explicit  requirements  for 
breach  notification. 

The  Veterans  Affairs  Information  Security  Act  (38 
U.S.C.  5722)  was  enacted  in  2006  in  response  to  the 
May  2006  breach  of  26.5  million  veterans'  personal 
data.  The  Veterans  Affairs  Information  Security  Act 
requires  the  Veterans  Administration  (VA)  to  imple¬ 
ment  agency-wide  information  security  procedures  to 
protect  the  VA's  sensitive  personal  information  and 
information  systems.  While  the  VA  Secretary  must 
comply  with  FISMA,  this  act  includes  other  require¬ 
ments  not  in  FISMA,  which  are  not  specified  here  due 
to  the  narrow  scope  of  this  law,  i.e.,  it  applies  only  to 
the  VA. 

Private  Sector  Laws. 

In  addition  to  the  laws  that  shape  the  behavior  of 
federal  agencies,  a  suite  of  information  security  and 
privacy  laws  apply  to  the  private  sector.  The  two  main 
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laws  are  the  Health  Insurance  Portability  and  Ac¬ 
countability  Act  (42  U.S.C.  1320)  of  1996  (HIPAA)  and 
the  Gramm-Leach-Bliley  Act  (15  U.S.C.  6801-6809), 
enacted  in  1999  (GLBA).  HIPAA  requires  health  plans, 
health  care  clearinghouses,  and  health  care  providers 
to  ensure  the  privacy  of  medical  records  and  prohibits 
disclosure  without  patient  consent.  While  HIPAA  in¬ 
cludes  privacy  provisions,  it  is  important  to  note  that 
the  primary  purpose  of  HIPAA  was  job  mobility.  Ac¬ 
cording  to  Hinde: 

It  was  perceived  that  the  disclosure  of  pre-existing 
medical  conditions  or  claims  to  a  new  employer  and 
that  employer's  health  plan  might  discourage  job  mo¬ 
bility  if  those  conditions  were  excluded  by  the  new 
health  plan  insurer.  Thus,  the  concept  of  providing 
privacy  over  identifiable  information  for  those  cov¬ 
ered  by  the  plan  (Hinde,  2003,  p.  379). 

The  security  standards  that  require  health  care  en¬ 
tities  to  maintain  administrative,  technical,  and  physi¬ 
cal  safeguards  to  ensure  the  confidentiality,  integrity, 
and  availability  of  electronic  "protected  health  infor¬ 
mation"  were  added  to  HIPAA  in  2003  . 

The  Gramm-Leach-Bliley  Act  (GLBA)  pertains 
to  financial  institutions.  The  impetus  for  GLBA  was 
to  "modernize"  financial  services.  This  included  the 
removal  of  regulations  that  prevented  the  merger  of 
banks,  stock  brokerage  companies,  and  insurance 
companies.  These  financial  institutions  regularly 
bought  and  sold  information  that  many  would  con¬ 
sider  private,  including  bank  balances  and  account 
numbers.  Therefore,  the: 

(R)emoval  of  these  regulations  raised  significant  risks 
that  these  new  financial  institutions  would  have  ac- 
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cess  to  an  incredible  amount  of  personal  information 
with  no  restrictions  upon  its  use.  Prior  to  GLBA,  the 
insurance  company  that  maintained  your  health  re¬ 
cords  was  distinct  from  the  bank  that  mortgaged  your 
house  and  the  stockbroker  that  traded  your  stocks. 
Once  these  companies  merged,  however,  they  would 
have  the  ability  to  consolidate,  analyze,  and  sell  the 
personal  details  of  their  customers'  lives  (EPIC,  2008). 

GLBA  requires  financial  institutions  — businesses 
that  engage  in  banking,  insuring,  stocks  and  bonds, 
financial  advice,  and  investing  — to  safeguard  the  se¬ 
curity  and  confidentiality  of  customer  information,  to 
protect  against  threats  and  hazards  to  the  security  or 
integrity  of  these  records,  and  to  provide  customers 
with  notice  of  privacy  policies.  Section  501  (b)  of  GLBA 
requires  banking  agencies  to  establish  industry  stan¬ 
dards  regarding  security  measures  such  as  risk  assess¬ 
ment,  information  security  training,  security  testing, 
monitoring,  and  a  response  program  for  unauthorized 
access  to  customer  information  and  customer  notice. 
In  this  way,  GLBA  is  self-regulatory  because  it  calls 
for  financial  institutions  to  appoint  an  intermediary  to 
determine  best  practices  for  information  security  and 
to  monitor  the  performance  of  financial  institutions 
against  these  industry  standards. 

State  Data  Breach  Disclosure  Laws. 

The  most  recent  spate  of  activity  is  in  the  46  state 
data  breach  disclosure  laws.  California  was  the  first 
state  to  establish  a  data  breach  disclosure  law  in  2003; 
10  other  states  enacted  laws  in  2005,  19  in  2006,  eight 
in  2007,  five  in  2008,  two  in  2009,  and  one  in  2010. 
Questions  and  concerns  about  the  efficacy  of  these 
laws  are  many.  All  of  these  laws  address  three  corn- 
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mon  elements:  personal  information  definition,  no¬ 
tification  requirements,  and  notification  procedures 
and  timelines.  However,  the  definitions  of  "personal 
information,"  "breach,"  "encryption,"  and  "potential 
risk"  are  not  consistent  across  the  various  state  laws. 
This  creates  challenges  for  companies  that  operate  in 
more  than  one  state.  The  need  to  comply  with  mul¬ 
tiple  state  laws  can  be  cumbersome  and  costly.  Thus 
far,  it  is  not  known  if  consumer  notification  is  effective 
and  under  what  circumstances.  Given  that  the  laws 
vary  with  regard  to  what  is  protected,  to  what  degree, 
and  when,  consumer  advocates  fear  that  that  lack  of 
consistency  diminishes  the  effectiveness  of  the  laws. 
By  allowing  consumer  rights  to  vary,  consumers  lose 
their  power  and,  as  a  result  of  their  protections  mean¬ 
ing  many  different  things,  these  consumer  protections 
mean  no  one  thing.  Questions  also  arise  about  the  use 
of  personal  notification  as  a  mitigation  strategy.  As 
notifications  increase,  there  is  an  increased  risk  of  con¬ 
sumer  desensitization,  which  ironically  could  cause 
consumers  to  be  inattentive  to  the  risk,  which  would 
be  counterproductive. 

The  clarion  call  is  that  we  are  drowning  under  a 
myriad  of  different  state  data  breach  notification  laws, 
thereby  making  a  federal  data  breach  notification  law 
imperative.  In  response,  15  federal  data  breach  notifi¬ 
cation  bills  have  been  introduced  in  the  past  4  years. 
While  all  of  these  bills  are  dead,  the  discussion  of  pre¬ 
emptive  federal  law  continues.  The  debate  continues 
as  to  the  needs  of  business  versus  consumer  groups. 
As  business  vies  for  a  high  threshold  for  notification 
due  to  the  fact  that  notification  costs  time,  money, 
and  reputation,  consumer  groups  contend  that  higher 
thresholds  do  not  grant  enough  notice  to  consumers. 
Questions  of  what  should  be  with  regard  to  identity 
theft,  privacy,  and  security  remain  salient. 
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Retrospective  Policy  Analysis. 

We  now  turn  to  a  discussion  of  the  policy  analysis 
using  the  IAD  framework  to  consider  why  and  how 
we  arrived  at  the  development  of  the  46  existing  data 
breach  laws.  In  this  retrospective  analysis,  we  consid¬ 
er  the  rules-in-use,  attributes  of  community,  and  the 
physical  and  material  conditions  that  served  to  shape 
the  policy  actions  we  have  seen  until  now.  To  date, 
public  policy  in  information  security  and  privacy  in 
the  United  States  has  been  largely  incremental  in  na¬ 
ture.  We  can  see  from  the  patchwork  of  laws  discussed 
earlier  in  this  chapter  that  we  have  thus  far  resisted  a 
coordinated  federal  law  that  preempts  existing  legis¬ 
lation.  Incrementalism  is  common  in  self-governing, 
polycentric  entities.  In  policy  analysis,  incrementalism 
assumes  that:  1)  the  effects  of  seriality  enhance  out¬ 
comes  by  reducing  uncertainty;  and,  2)  the  enhanced 
consideration  of  context  enhances  outcomes.  That  the 
information  age  has  introduced  a  number  of  uncer¬ 
tainties  makes  incrementalism  especially  relevant. 

Stated  more  directly,  and  in  connection  to  the 
IAD  model,  one  of  the  rules-in-use  is  incrementalism. 
When  there  is  a  high  degree  of  uncertainty,  policy  will 
be  enacted  incrementally.  Thus,  a  plethora  of  laws  is 
to  be  expected.  While  identity  theft  is  nothing  new, 
the  magnitude  of  identity  theft  experienced  in  the  past 
decade  is  new.  The  global  information  infrastructure 
is  in  its  infancy  —  it  is  still  unclear  what  people  will  and 
will  not  do  in  the  electronic  frontier.  The  Internet  was 
never  designed  to  serve  the  myriad  of  purposes  for 
which  it  is  being  used,  nor  was  it  designed  for  billions 
of  users.  Laws  designed  in  the  industrial  era  may  or 
may  not  apply  in  the  information  age.  It  is  not  certain 
what  new  laws  are  necessary  as  a  result  of  information 
technologies  and  how  effective  these  laws  will  be. 
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During  this  period  of  transition,  new  communities 
form  and  existing  communities  are  being  reshaped; 
as  a  result,  behavioral  norms  are  being  renegotiated. 
Given  the  global  nature  of  the  Internet,  it  is  reasonable 
to  view  these  communities  as  more  heterogeneous  or, 
at  a  minimum,  heterogeneous  in  new  ways.  Therefore, 
norms  cannot  be  easily  transported  based  on  existing 
communities;  they  will  have  to  be  established  from 
the  ground  up,  which  is  bound  to  take  time.  Addi¬ 
tionally,  because  the  technology  is  still  new,  scientists 
and  engineers  are  still  determining  what  actions  are 
physically  possible.  Talented  individuals  around  the 
world  are  working  on  technologies  to  help  anonymize 
data,  enhance  privacy-preserving  computation,  and 
provide  improved  intrusion  detection,  but  this  takes 
time  as  well.  Experience  in  all  of  these  areas  —  rules-in- 
use,  attributes  of  community,  and  physical/ material 
conditions  —  occur  through  observation,  involvement, 
and  exposure. 

Though  we  do  not  have  much  experience,  there 
has  been  the  need  to  take  action.  ID  theft  is  on  the  rise, 
which  concerns  citizens.  Two  of  the  core  imperatives 
of  the  state  are  domestic  order  and  legitimacy  (Dry- 
zek,  Downes,  Hunold,  Schlosberg  and  Hernes,  2003). 
Yet,  the  existing  federal  and  private  sector  laws  are 
not  sufficient  to  address  the  rising  identity  theft  prob¬ 
lem  threatening  domestic  order,  thereby  forcing  law¬ 
makers  to  take  action  to  ensure  their  perceived  legiti¬ 
macy.  In  response,  federal  laws  have  been  amended, 
private  sector  laws  are  being  tweaked,  and  a  flurry  of 
state  laws  have  been  enacted.  To  what  can  we  attri¬ 
bute  the  incremental  changes  we  have  observed?  Why 
do  we  have  these  laws  as  opposed  to  something  else? 
To  answer  these  questions,  we  turn  to  a  discussion  of 
openness  and  transparency,  informational  regulation, 
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the  infancy  of  the  information  industry,  and  federal¬ 
ism;  we  further  examine  how  rules-in-use,  attributes 
of  community,  and  physical/material  conditions  have 
intersected  in  each  of  these  areas  to  produce  the  poli¬ 
cies  we  have  today. 

Openness  and  Transparency. 

A  democracy  is  founded  on  principles  of  openness 
and  transparency.  In  1933,  Justice  Louis  D.  Brandeis 
coined  the  powerful  phrase  "sunlight  as  disinfectant" 
in  support  of  increasing  openness  and  transparency 
in  public  policy.  While  laws  that  aim  to  ensure  open¬ 
ness  and  transparency  in  government  operations  ex¬ 
isted  before  1933,  Brandeis  is  responsible  for  the  term 
"Sunshine  Laws."  The  impetus  behind  sunshine  laws 
is  twofold.  First,  a  thriving,  open  democracy  depends 
on  open  access  and  citizen  participation;  thus,  the 
right-to-know  is  a  constitutional  and  inherent  right  of 
American  citizens.  Second,  a  government  that  is  of  the 
people,  for  the  people,  and  by  the  people  asserts  gov¬ 
ernment  subservience  to  the  individual,  which  predi¬ 
cates  freedom  of  information. 

The  Freedom  of  Information  Act  (FOIA),  signed 
into  law  on  July  4, 1966,  by  President  Lyndon  B.  John¬ 
son,  is  a  Sunshine  Law.  FOIA  allows  for  the  full  or  par¬ 
tial  disclosure  of  previously  unreleased  information 
and  documents  controlled  by  the  U.S.  Government. 
The  concept  of  "freedom  of  information"  conveys  a 
philosophy  that  values  the  advantages  of  increasing 
our  ability  to  gather  and  send  information,  and  clearly 
does  not  connote  privacy  as  a  positive  right.  This  acts 
as  a  rule-in-use. 

The  Privacy  Act  of  1974  arrived  8  years  later  as  an 
amendment  to  the  FOIA  in  response  to  Watergate  and 
the  abuse  of  privacy  during  the  Nixon  administration. 
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The  Privacy  Act  of  1974  did  not  promote  privacy,  but 
established  a  code  of  fair  information  practice.  It  was 
also  an  attempt  to  limit  the  powers  of  government  and 
passed  hastily  during  the  final  week  of  the  93rd  Con¬ 
gress,  which  was  in  session  from  1973-74.  According 
to  the  U.S.  Department  of  Justice: 

[N]o  conference  committee  was  convened  to  reconcile 
differences  in  the  bills  passed  by  the  House  and  Sen¬ 
ate.  Instead,  staffs  of  the  respective  committees  —  led 
by  Senators  Ervin  and  Percy,  and  Congressmen  Moor¬ 
head  and  Erlenborn  —  prepared  a  final  version  of  the 
bill  that  was  ultimately  enacted  . . .  the  Act's  imprecise 
language,  limited  legislative  history,  and  somewhat 
outdated  regulatory  guidelines  have  rendered  it  a  dif¬ 
ficult  statute  to  decipher  and  apply  (U.S.  Department 
of  Justice,  2008). 

Moreover,  even  after  more  than  25  years  of  ad¬ 
ministrative  and  judicial  analysis,  numerous  Privacy 
Act  issues  remain  unresolved  or  unexplored.  Add¬ 
ing  to  these  interpretational  difficulties  is  the  fact 
that  many  Privacy  Act  cases  are  unpublished  district 
court  decisions. 

This  offers  important  insight  into  the  historical 
context  with  regard  to  how  information  and  privacy 
are  embedded  in  the  past  as  well  as  food  for  thought 
on  how  this  norm  has  shaped  our  ongoing  collective 
treatment  of  it  going  forward.  Through  the  enactment 
of  FOIA  in  1966,  the  push  to  enable  information  shar¬ 
ing  was  a  result  of  mistrust  in  government.  Eight  years 
later,  the  Privacy  Act  was  reactive  in  nature  and  reflec¬ 
tive  of  further  distrust  of  government.  Through  these 
pieces  of  legislation  run  two  noteworthy  threads.  First 
is  the  value  of  freedom  of  information,  wherein  infor¬ 
mation  belongs  to  and  exists  for  the  advancement  of 
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citizens  and  the  common  good.  Second  is  a  distrust  of 
government  powers,  wherein  stewardship  cannot  be 
entrusted  to  the  polity.  "Privacy"  in  the  Privacy  Act  is 
not  a  positive  right,  but  rather  a  necessary  provision 
subservient  to  limiting  government  powers. 

Earlier  in  this  study  it  was  noted  that  HIPAA  was 
passed  to  enable  job  mobility  and  GLBA  was  passed 
to  modernize  the  financial  services  industry.  Again, 
in  the  context  of  these  laws,  privacy  is  secondary  to 
another  purpose.  In  HIPAA  and  GLBA,  privacy  is 
a  means  to  an  end;  in  other  words,  privacy  plays  a 
functional  or  instrumental  role.  Society  needs  priva¬ 
cy  because  citizens  need  job  mobility;  society  needs 
privacy  to  modernize  financial  services.  Implicit  is 
the  message  that  if  citizens  did  not  need  job  mobil¬ 
ity  or  financial  services  modernization  they  would 
not  need  to  concern  themselves  with  privacy.  Even 
though  privacy  was  cast  as  a  functional  need  in  both 
HIPAA  and  GLBA,  the  similarity  ends  there.  These  in¬ 
dustry  sectors  have  significantly  different  regulatory 
frameworks  (Congressional  Research  Service,  2008). 
The  security  and  privacy  provisions  in  these  laws  are 
more  reflective  of  the  larger  regulatory  framework  for 
these  industries.  The  regulatory  framework  for  these 
industries  served  as  additional  rules-in-use,  shaping 
these  laws. 

Informational  Regulation. 

Another  phenomenon  that  is  essential  to  under¬ 
standing  the  U.S.  data  breach  laws  is  informational 
regulation.  Informational  regulation  has  become  a 
striking  development  in  American  law  (Sunstein, 
2006).  To  date,  informational  regulation  has  applied 
in  the  environmental  and  health  policy  arenas.  It  is 
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noteworthy  that  informational  regulation  has  been 
applied  to  these  areas.  In  the  case  of  environmental 
policy,  informational  regulations  have  protected  as¬ 
pects  of  the  environment  that  are  common  (or  public) 
good  in  nature,  which  by  definition  means  that  the 
private  sector  will  not  attend  to  them.  A  similar  situ¬ 
ation  occurs  in  the  area  of  public  health,  in  which  the 
health  of  all  citizens  is  both  good  for  the  individual  as 
well  as  for  the  collective  as  a  means  and  an  end,  i.e.,  it 
is  a  common  or  public  good. 

Informational  regulation  has  two  functions.  First, 
it  serves  to  inform  people  of  potential  risk  exposure 
(Volokh,  2002)  and  serves  as  "sunlight,"  which  was 
already  discussed  as  the  value  of  transparency.  Sec¬ 
ond,  informational  regulation  aims  to  change  the 
behavior  of  risk  creators  (Volokh,  2002)  and  to  exert 
pressure  on  entities  to  care  for  the  common  good.  In¬ 
formational  regulation  is  useful  in  a  polycentric  policy 
arena  in  which  the  problems  that  the  policy  means  to 
address  are  attributable  to  multiple  sources,  the  solu¬ 
tions  require  participation  from  multiple  parties,  and 
the  nature  of  problems  and  solutions  is  dynamic  —  all 
of  which  necessitate  that  the  policy  must  allow  for 
adaptability.  Clearly  caring  for  the  environment  or 
health  are  polycentric  policy  areas.  Environmental 
and  health  problems  stem  from  multiple  sources,  and 
ameliorating  these  types  of  problems  takes  ongoing 
involvement  from  multiple  parties.  The  same  is  true 
for  data  security,  identity  protection,  and  privacy.  Im¬ 
proved  data  security  is  possible  only  under  conditions 
that  shape  the  practices  of  numerous  individuals  and 
covered  entities;  therefore,  policy  that  provides  incen¬ 
tives  for  such  change  is,  in  theory,  necessary.  How 
does  informational  regulation  work  in  practice? 
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Figure  5-2  shows  the  mechanistic  view  of  the  prem¬ 
ise  for  informational  regulation  for  data  breach  disclo¬ 
sure  laws.  Informational  regulation  intends  to  provide 
warning  information  to  consumers.  In  theory,  by  en¬ 
hancing  the  knowledge  level,  consumers  can  perform 
a  personalized  risk  assessment  and  make  purchase 
decisions  based  on  that  assessment.  The  market  deci¬ 
sions  made  by  consumers  intend  to  drive  the  less  se¬ 
cure  entities  out  of  the  market,  thereby  improving  the 
state  of  security  overtime.  In  addition,  the  enhanced 
knowledge  levels  will  propel  consumers  to  engage  in 
other  protective  actions,  such  as  active  credit  moni¬ 
toring  or  a  credit  freeze.  Consumer  credit  monitoring 
typically  includes  alerting  the  bank  and  credit  card 
merchant,  notifying  the  FTC,  and/or  contacting  law 
enforcement.  A  credit  freeze  allows  consumers  to  lock 
their  consumer  credit  report  and  scores.  Once  consum¬ 
ers  have  locked  their  credit  information,  the  lender  or 
merchant  cannot  access  it,  which  significantly  lowers 
the  likelihood  that  the  merchant  will  issue  credit.  The 
benefit  is  that  the  thief  is  not  likely  to  get  credit  in  the 
consumer's  name  (so  the  law  prevents  a  false-positive, 
also  called  a  Type  II  error).  The  downside  is  that  this 
locking  also  impedes  consumers  from  quickly  get¬ 
ting  credit  in  their  name  (a  false-negative,  or  Type  I 
error);  note  that  consumers  can  release  the  freeze,  but 
it  takes  a  few  days  and  may  jeopardize  quick  access 
to  special  loans  and  other  purchase  incentives.  These 
proactive  consumer  measures  will  in  theory  also  lead 
to  improved  security  over  time. 
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Figure  5-2.  Informational  Regulation  Premise 
for  Data  Breach  Disclosure  Laws. 

Informational  regulation  also  aims  to  change  the 
actions  of  producers.  By  engaging  producers  in  pro¬ 
viding  information,  informational  regulation,  in  the¬ 
ory,  reveals  an  entity's  practices.  This  sends  a  signal 
to  society  that  perhaps  this  entity  cannot  be  trusted. 
The  premise  is  that  covered  entities  value  their  repu¬ 
tations.  As  such,  they  will  act  to  improve  their  security 
in  order  to  preserve  their  reputations  and  minimize 
associated  costs,  which  could  include  the  costs  of  the 
notification  itself,  as  well  as  downtime  costs,  the  costs 
of  remediation  and  recovery  due  to  the  breach,  and 
the  costs  of  lost  business.  Ideally,  these  two  streams 
combine  to  improve  data  security,  which  in  turn  miti¬ 
gates  ID  theft  and  enhanced  privacy. 

The  premise  of  informational  regulation  is  that:  1) 
market  mechanisms  can  shape  risk  behavior,  thereby 
reducing  the  need  for  command-and-control  regula¬ 
tions;  and,  2)  informational  regulation  enhances  dem¬ 
ocratic  processes  and  promotes  individual  autonomy. 
By  providing  data  breach  information  to  victims,  in- 
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dividuals  are  empowered  to  make  decisions  based  on 
quality  (i.e.,  they  can  elect  to  purchase  goods/ services 
from  a  provider  who  offers  enhanced  information  se¬ 
curity  and  privacy),  and  market  mechanisms  will  be 
fortified.  A  failure  to  provide  complete  and  accurate 
market  information  can  impede  the  efficient  alloca¬ 
tion  of  goods  and  services  and  result  in  market  failure, 
which  is  the  driver  for  changing  producers'  behavior. 

In  theory,  informational  regulation  allows  more 
public  monitoring  of  decisions,  a  norm  already  dis¬ 
cussed.  By  forcing  disclosure,  more  people  are  in¬ 
formed;  and  by  informing  more  people,  the  quality 
and  the  quantity  of  public  deliberation  will  improve, 
thereby  enhancing  the  democratic  processes  that  are 
vital  for  openness  and  transparency.  In  general,  infor¬ 
mation  disclosure  rests  on  the  normative  belief  that 
citizens  have  a  right  to  know  the  risks  to  which  they 
are  exposed.  This  information  promotes  choice  and 
autonomy,  both  of  which  are  foundational  to  what 
some  may  consider  the  penultimate  norm  in  Ameri¬ 
can  society  — liberty  (Renshaw,  2002). 

In  contrast  to  command-and-control  regulation  in 
which  the  government  sets  and  enforces  standards, 
informational  regulation  is  often  less  expensive.  The 
United  States  values  efficient  government,  and  recent 
decades  have  seen  an  increased  emphasis  on  downsiz¬ 
ing  the  federal  government.  While  it  is  not  clear  that 
command  and  control  legislation  would  be  effective 
in  mitigating  data  breaches  or  in  making  data  breach 
disclosure  more  effective,  it  is  clear  that  a  command 
and  control  approach  is  not  politically  efficacious  at 
this  point  in  time. 

In  summary,  informational  regulation  has  grown 
in  areas  where  consumer  protection,  private  sector 
practices,  and  risk  converge.  Examples  include  warn- 
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ing  labels  regarding  mercury  levels,  nutrition  labels 
disclosing  fat  content,  and  notifications  about  the 
side  effects  of  a  given  medication.  That  data  security 
shares  these  same  material  features  —  consumer  pro¬ 
tection,  private  sector  practices,  and  risk  —  has  clearly 
contributed  to  adopting  informational  regulation  as 
the  model  for  data  breach  disclosure  laws. 

Infancy  of  the  Information  Industry  and 
Federalism. 

Continuing  with  a  thread  that  was  started  earlier  — 
relative  inexperience  with  the  information  age  — the 
information  industry  includes:  1)  industries  that  buy 
and  sell  information  as  a  good  or  service;  2)  certain 
service  sectors  that  are  especially  information  inten¬ 
sive,  such  as  banking  and  legal  services;  3)  information 
dissemination  sectors,  such  as  telecommunications 
and  broadcasting;  and,  4)  producers  of  information 
processing  devices,  such  as  computers  and  software. 
The  information  industry  is  a  boon  to  the  economy,  as 
information  amplifies  growth  in  more  traditional  in¬ 
dustry  sectors,  and  the  demand  for  information  goods 
and  services  increases  markedly.  Because  of  the  ends 
and  means  nature  of  information  goods  and  services, 
the  market  is  quite  large  and  still  emerging. 

An  example  of  emergence  is  the  following  rela¬ 
tively  recent  cascade  of  events:  the  Internet  explosion; 
September  11,  2001;  and  the  subsequent  war  on  terror. 
These  events  converged  to  boost  the  data  brokerage 
industry.  Data  brokerages  are  companies  that  collect 
and  sell  billions  of  private  and  public  records  con¬ 
taining  individuals'  personal  information.  Many  of 
these  companies  also  provide  products  and  services, 
including  identity  verification,  background  screen- 
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ing,  risk  assessments,  individual  digital  dossiers,  and 
tools  for  analyzing  data.  Most  data  brokers  sell  data 
that  they  collect  from  public  records  (e.g.,  driver's  li¬ 
cense  records,  vehicle  registration  records,  criminal 
records,  voter  registration  records,  property  records, 
and  occupational  licensing  records)  or  from  warranty 
cards,  credit  applications,  etc.  In  addition,  data  bro¬ 
kers  purchase  so-called  "credit  headers"  from  credit 
reporting  agencies.  Information  on  a  credit  header 
generally  includes  a  person's  Social  Security  number, 
address,  phone  numbers,  and  birth  date  (Congres¬ 
sional  Research  Service,  2007).  Although  some  of  the 
products  and  services  provided  by  data  brokers  are 
currently  subject  to  privacy  and  security  protections 
aimed  at  credit  reporting  agencies  and  the  financial 
industry  under  the  Fair  Credit  Reporting  Act  (1971) 
and  GLBA  (1999),  many  are  not.  Because  the  indus¬ 
try  is  relatively  young,  there  is  no  history  of  oversight 
or  self-regulation  of  the  industry's  practices,  includ¬ 
ing  the  accuracy  and  handling  of  sensitive  data,  by  an 
industry-sanctioned  body. 

Data  brokerages  are  not  the  only  unregulated  enti¬ 
ties.  There  are  many  other  organizations  that  process, 
store,  and  transmit  personal  information:  state  and  lo¬ 
cal  agencies,  public  hospitals,  departments  of  revenue 
and  motor  vehicles,  courts  at  the  state  and  local  level, 
agencies  that  oversee  elections,  K-12  schools,  school 
districts,  post-secondary  institutions,  and  business  en¬ 
tities  engaging  in  inter-  and  intrastate  commerce.  Most 
of  these  entities  are  not  covered  by  HIPAA  and  GLBA 
(Congressional  Budget  Office,  2006)  and  have  tradi¬ 
tionally  been  governed  through  state  law;  hence,  the 
46  state  data  breach  laws  discussed  earlier.  The  suite 
of  laws  are  in  part  a  result  of  lack  of  experience  with 
information  markets,  and  are  partly  a  function  of  the 
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need  for  legislation  that  spans  the  numerous  and  var¬ 
ied  types  of  entities  that  process,  store,  and  transmit 
personal  information.  A  broad  and  amorphous  social 
challenge  such  as  information  security  and  privacy  is 
not  only  diffuse;  it  is  emergent.  Research  has  shown 
that  in  cases  of  open  access,  common  good  resources 
(such  as  security  and  privacy),  collective  choice  action 
arenas,  i.e.,  those  that  improve  opportunities  for  com¬ 
munication  and  public  deliberation,  result  in  better 
joint  outcomes  (Ostrom,  1999).  The  patchwork  of  data 
breach  laws  fit  this  profile  —  they  aim  to  increase  com¬ 
munication  and  public  deliberation. 

In  a  federalist  system,  such  as  the  United  States, 
sovereignty  is  constitutionally  divided  between  the 
federal  government  and  the  constituent  states.  The 
powers  granted  to  the  U.S.  federal  government  are 
limited  to  the  right  to  levy  taxes,  declare  war,  and 
regulate  interstate  and  foreign  commerce.  The  pow¬ 
ers  traditionally  reserved  by  the  states  include  public 
safety,  public  education,  public  health,  transportation, 
and  infrastructure.  Of  course,  information  security 
and  privacy  challenges  permeate  these  state-governed 
organizations,  too.  While  a  federal  preemptive  law 
might  span  all  organizations  and  individuals,  there  is 
the  possibility  that  it  would  erode  state  sovereignty 
and,  in  the  process,  alter  the  federal-state  balance  of 
power  in  unprecedented  ways.  The  patchwork  suite 
of  laws  that  we  have  can  be  partially  attributed  to  a 
collective  belief  that  this  is  wrong.  This  retrospective 
analysis  provided  nuanced  insight  into  the  present. 
Federal  laws  were  enacted  to  delimit  government 
powers,  and  privacy  seemed  necessary  for  that  pur¬ 
pose.  Private  industry  sector  laws  were  passed  to  pro¬ 
tect  the  private  sector,  and  data  security  and  privacy 
were  functional  means  to  that  end.  These  federal  and 
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private  sector  laws  reflect  a  general  U.S.  cultural  norm 
of  distrusting  government  while  trusting  in  the  private 
sector  and  market  forces.  Informational  regulation 
was  established  as  a  form  of  legislation  considered 
effective  for  issues  that  spanned  consumer  protec¬ 
tion  and  risk,  and  where  market  mechanisms  would/ 
could  work  effectively,  which  is  further  evidence  of 
pervasive  trust  in  the  private  sector. 

LOOKING  FORWARD 

Technological  advancements  are  changing  the  in¬ 
formation  security  and  privacy  landscape  consider¬ 
ably;  in  response,  organizations  grapple  to  enact  social 
controls,  i.e.,  public  policies,  that  mitigate  the  ill  effects. 
Yet,  these  policies  are  blunt  instruments  not  suited  to 
the  careful  excision  of  these  ills.  As  mentioned  earlier, 
some  critics  contend  that  the  nation  is  drowning  un¬ 
der  a  myriad  of  different  state  data  breach  notification 
laws  and  argue  for  a  preemptive  federal  data  breach 
notification  law.  Others  contend  that  the  current  laws 
can  suffice  if  modifications  are  passed. 

Some  advocates  of  modifying  existing  laws  assert 
that  the  outcome  of  data  breach  disclosure  should  be 
to  motivate  large-scale  reporting  so  that  data  breaches 
and  trends  can  be  aggregated,  which  allows  a  more 
purposeful  and  defensive  use  of  incident  data.  Those 
who  advocate  for  large-scale  data  collection  view  the 
existing  laws  as  "disclosure  disincentives"  for  two 
reasons:  1)  breached  entities  view  themselves  as  vic¬ 
tims  of  attack  and  not  deserving  of  reputational  reper¬ 
cussions;  and,  2)  existing  laws  offer  covered  entities 
considerable  discretion  as  to  whether  to  disclose.  To¬ 
gether,  these  factors  result  in  underreporting  of  data 
breaches,  which  in  turn  constrains  large-scale  data 
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collection  regarding  breaches.  The  proposed  policy 
solution  is  to  modify  the  laws  to  make  breach  notifica¬ 
tion  completely  anonymous  where  breached  entities 
report  to  an  intermediary  and  not  to  consumers. 

Whereas  others  who  advocate  for  modifying  the 
existing  laws  suggest  coordinated  response  architec¬ 
ture  (CRA)  (Schwartz  and  Janger,  2007),  supporters  of 
this  alternative  agree  that  large-scale  data  collection  on 
data  breaches  is  necessary,  but  contend  that  consum¬ 
er  notification  needs  to  be  amended,  not  eliminated. 
Their  main  concerns  with  the  existing  consumer  noti¬ 
fication  practices  are  that:  1)  there  are  too  many  noti¬ 
fications,  leading  to  consumer  desensitization;  and,  2) 
the  information  provided  to  consumers  is  unhelpful  at 
best  and  befuddling  at  worst.  In  response,  this  group 
advocates  for  amendments  to  the  data  breach  laws  to 
include  a  CRA.  The  CRA  is  an  intermediary  agency 
with  responsibility  for:  1)  supervised  delegation  of  the 
decision  whether  to  give  notice;  2)  coordination  and 
targeting  of  notices  to  other  institutions  and  to  cus¬ 
tomers;  and,  3)  improving  the  content  of  notices  sent 
to  consumers. 

Each  of  the  alternatives  offers  a  critique  of  the  exist¬ 
ing  suite  of  laws.  Each  critique  is  grounded  in  a  prem¬ 
ise  of  what  outcomes  matter,  and  each  alternative  of¬ 
fers  a  view  on  how  policy  can/  should  target  actions  in 
pursuit  of  these  outcomes.  Questions  of  what  should 
be  with  regard  to  ID  theft,  privacy,  and  security  re¬ 
main  salient.  The  problem  is  both  highly  polycentric 
and  emergent,  and  these  conditions  favor  polycentric 
and  incremental  policy  approaches. 

Yet,  others  would  suggest  that  informational  regu¬ 
lation  is  the  wrong  type  of  legislation  entirely,  and 
that  tort  law  would  be  more  effective  for  redressing 
problems  of  negligent  behavior.  Still  others  support 
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a  mix-and-match  set  of  policy  alternatives.  One  ex¬ 
ample  is  a  preemptive  federal  law  in  conjunction  with 
tort  laws  and  existing  state  laws,  in  which  the  scope 
of  preemption  is  fairly  narrow.  The  justification  is  that 
such  a  policy  mix  would  allow  greater  stringency,  and 
therein  sovereignty,  in  state  laws  as  desired  by  states, 
but  provide  for  certain  requirements  in  a  federal  law 
in  areas  that  are  crucial  to  improving  security. 

As  opposed  to  thinking  about  discrete  policy  solu¬ 
tions,  challenges  in  information  security  and  privacy 
are  highly  polycentric  and  emergent;  these  conditions 
in  turn  favor  polycentric  and  incremental  policy  ap¬ 
proaches.  The  46  state  data  breach  laws  put  data  secu¬ 
rity  into  the  hands  of  citizens  and  organizations.  In  a 
society  pillared  by  equity  and  freedom  as  ideals,  where 
there  is  no  constitutional  provision  for  privacy,  the 
constant  for  deliberating  the  common  good  is  through 
an  open  and  representative  process.  This  myriad  of 
data  security  laws  aim  to  serve  the  purpose  of  making 
explicit  these  individual  preferences  in  a  manner  that 
allows  all  to  translate  these  preferences  into  collective 
choice  — the  future  of  data  security  is  contingent  on 
seeing  more  laws  enacted  to  address  facets  of  infor¬ 
mation  security  and  privacy,  and  second,  that  these 
laws  are  likely  to  be  more  polycentric,  not  less. 
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CHAPTER  6 


CYBER  SECURITY  AND  IDENTITY: 

SOLUTIONS  FOR  CRITICIAL 
INFRASTRUCUTURE  THAT  PROTECT  CIVIL 
LIBERTIES  AND  ENHANCE  SECURITY 

Joshua  Gruenspecht 

INTRODUCTION:  IDENTITY  PROBLEMS 
AND  IDENTITY  VALUES 

Problems  with  identity  determination  raise  some 
of  the  most  complicated  and  unresolved  issues  in  cy¬ 
ber  security.  Just  as  in  the  physical  world,  identity  on¬ 
line  can  be  crucial  both  in  restricting  access  to  critical 
resources  and  in  responding  appropriately  to  threats 
or  attacks.  In  the  networked  world,  however,  identify¬ 
ing  a  communications  partner  can  be  difficult,  and  in¬ 
formation  security  can  suffer  as  a  result.  Industry  and 
government  are  pursuing  a  number  of  approaches  to 
better  identify  communicants  so  as  to  secure  informa¬ 
tion  and  other  assets.  As  part  of  this  process,  some 
policymakers  have  suggested  fundamental  changes  to 
the  way  in  which  the  Internet  transmits  identity  infor¬ 
mation.  Though  their  solutions  have  varied,  this  sub¬ 
set  of  policymakers  has  coalesced  around  the  general 
idea  that  Internet  communication  needs  to  be  more 
traceable  so  that  malefactors  can  be  tracked  more 
easily. 

What  these  policymakers  often  fail  to  recognize 
is  that  identity  is  bigger  than  cyber  security  alone. 
Changes  to  online  identity  standards  may  also  have 
effects  on  civil  liberties  and  global  freedom,  eco¬ 
nomic  and  technological  innovation,  market  choices, 
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consumer  privacy,  and  other  issues  associated  with 
online  business  models.  Authentication  mechanisms 
that  do  not  consider  commercial  compatibility  may 
be  left  behind  in  the  marketplace,  while  enforced 
compatibility  may  create  barriers  to  entry  for  entre¬ 
preneurs.  Mechanisms  mandated  by  the  government, 
though,  may  choke  off  superior  private-sector  solu¬ 
tions.  Enhanced  identity  mechanisms  may  complicate 
the  right  to  anonymous  speech  and  increase  the  ability 
of  repressive  regimes  to  target  dissenters.  In  all  these 
ways,  network  identity  is  not  just  a  matter  of  security, 
but  also  a  matter  of  civil  and  economic  freedom.  Ac¬ 
cordingly,  the  development  and  implementation  of 
identity  solutions  must  involve  a  weighing  of  values.1 
Increasing  the  traceability  of  communications  endan¬ 
gers  many  of  these  values.  Instead  of  expending  lim¬ 
ited  resources  to  pursue  solutions  that  have  serious 
negative  consequences,  it  is  incumbent  upon  policy¬ 
makers  to  first  consider  alternative  ways  to  address 
the  cyber  security  identity  problem. 

In  order  to  assess  the  full  spectrum  of  identity 
solutions  proposed  for  cyber  security,  it  is  useful  to 
understand  that  there  are  two  related  but  distinct  sets 
of  problems  in  network  identification:  authentication 
and  attribution.  Authentication  refers  to  the  process 
of  verifying  the  identity  of  a  communicant  (a  machine 
or  a  user).  Where  an  identity  is  associated  with  certain 
permissions,  authentication  mechanisms  can  be  used 
to  protect  critical  resources  by  securing  systems  from 
unauthorized  access.  Attribution,  in  contrast,  concerns 
questions  of  how  to  determine  the  identity  of  a  com¬ 
municant  (as  the  source  of  certain  code  or  other  data) 
based  on  all  of  the  information  that  the  communicant 
has  placed  onto  the  network,  including  metadata  as¬ 
sociated  with  his  or  her  communications.  Attribution 
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strategies  can  help  assign  responsibility  for  an  at¬ 
tack.  They  can  also  help  identify  threats  to  network 
security,  thus  helping  to  mitigate  those  threats  before 
their  impact  is  felt.  In  some  scenarios,  authentication 
information  can  play  a  significant  role  in  attribution, 
though  often  policymakers  gloss  over  this  piece  of  the 
attribution  equation. 

The  first  section  considers  both  sets  of  problems 
and  concludes  that  authentication-oriented  solutions 
are  more  likely  to  provide  significant  security  ben¬ 
efits  and  less  likely  to  produce  undesirable  economic 
and  civil  liberties  consequences.  The  second  section 
explains  the  concepts  of  authentication  and  attribu¬ 
tion  in  greater  depth,  discussing  how  each  relates  to 
network  security  and  to  other  core  values.  The  third 
section  explains  how  identity  information  is  currently 
exchanged  on  the  Internet,  and  what  authentication 
and  attribution  challenges  are  raised  by  these  existing 
solutions.  The  fourth  section  evaluates  proposed  so¬ 
lutions  to  identity  problems  and  the  policy  issues  as¬ 
sociated  with  those  solutions,  explaining  the  benefits 
and  drawbacks  of  each  for  both  cyber  security  and  for 
other  values.  The  last  section  provides  conclusions 
reached  as  a  result  of  this  analysis. 

AUTHENTICATION  AND  ATTRIBUTION: 
IDENTIFYING  THE  COMMUNICANT 

Authentication:  Demanding  Identity  Before  a 
Transaction. 

Authentication  is  "the  process  of  establishing  an 
understood  level  of  confidence  that  an  identifier  re¬ 
fers  to  a  particular  individual  or  identity."2  Authenti¬ 
cation  often  involves  an  exchange  of  information  be- 


141 


fore  some  other  transaction  in  order  to  ensure  — to  the 
extent  necessary  for  the  transaction  at  hand  — that  the 
sender  of  a  stream  of  traffic  is  who  he  or  she  claims  to 
be  or  otherwise  has  the  attributes  required  to  engage 
in  the  given  transaction.3  Enhancing  the  security  of  the 
authentication  process  in  turn  enhances  the  security 
of  the  transaction.  Because  critical  resources  such  as 
utility  control  systems,  financial  networks,  and  sys¬ 
tems  holding  classified  information  are  increasingly 
accessible  through  the  Internet,  authenticating  users 
becomes  an  important  cyber  security  concern.  There 
are  two  sets  of  authentication  questions  that  drive  se¬ 
curity.  First,  how  can  authentication  security  be  im¬ 
proved?  Second,  what  level  of  authentication  should 
be  required  in  any  particular  situation? 

To  understand  how  improvements  happen,  it  is 
important  to  understand  the  underlying  authentica¬ 
tion  transaction.  There  are  three  parties  to  an  authen¬ 
tication  transaction.4  The  "user"  associates  him  or 
herself  with  a  digital  identity;  the  "identity  provider" 
facilitates  and  stores  that  association;  and  the  "relying 
party"  asks  the  identity  provider  to  verify  the  user  at 
the  time  of  the  transaction  (or  relies  on  something  pro¬ 
vided  to  the  user  by  the  identity  provider).  In  many 
situations,  the  identity  provider  and  the  relying  party 
are  one  and  the  same  (e.g.,  a  business  issuing  user 
names  and  passwords  for  access  to  its  own  internal 
network,  or  Google  authenticating  a  user  into  Gmail). 
Combining  the  two  can  increase  security  by  reducing 
both  the  number  of  parties  to  the  transaction  and  the 
technological  complexity  of  the  transaction,  but  it  can 
also  reduce  security  because,  when  every  relying  party 
issues  it  own  identities,  users  (even  sophisticated  ones 
at  important  facilities)  engage  in  insecure  practices.5 


142 


Information  exchanged  to  authenticate  identity 
is  often  broken  down  into  three  separate  classes  of 
authenticators:  something  you  know,  such  as  a  pass¬ 
word;  something  you  have,  such  as  a  card  or  USB 
token;  and  something  you  are,  such  as  biometric  in¬ 
formation.6  Including  multiple  factors,  especially  from 
different  classes,  generally  increases  the  security  of 
the  transaction. 

Creating  a  digital  identity  generally  requires  some 
form  of  "proofing,"  a  pre-authentication  step  in  which 
the  user  and  the  identity  provider  exchange  other  au¬ 
thenticators.  This  process  sometimes  involves  off-line 
identities  and  sometimes  involves,  especially  for  high¬ 
er  levels  of  security,  an  in-person  interaction.  If  the  au¬ 
thenticators  used  to  prove  identity  are  themselves  in¬ 
valid,  or  the  proofing  process  is  otherwise  inadequate, 
the  resulting  identity  credentials  will  not  be  reliable. 

Underlying  the  second  question,  "What  level  of 
authentication  should  be  required?"  is  the  supposi¬ 
tion  that  different  kinds  of  transactions  should  require 
different  levels  of  authentication.  Some  observers  be¬ 
lieve  that  certain  online  transactions,  for  example,  ac¬ 
cessing  a  publicly  available  government  website,  can 
be  permitted  with  no  authentication,  while  others  pro¬ 
pose  that  at  least  some  identification  should  be  part  of 
every  Internet  transaction.7  Although,  almost  all  tech¬ 
nical  solutions  and  policy  proposals  involving  iden¬ 
tity  are  based  on  the  creation  of  levels  of  assurance 
(LOAs).8  LOAs  rank  networked  systems  according  to 
the  consequences  of  authentication  failure  and  define 
authentication  requirements  at  each  level.  Accessing  a 
newspaper  article,  for  example,  surely  requires  fewer 
assurances  of  identity  than  accessing  the  control  sys¬ 
tem  of  a  nuclear  reactor.  Work  has  already  been  done 
to  define  LOAs  for  federal  systems,9  and  private  sector 
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identity  initiatives  have  followed  the  government's 
four-level  framework.10  However,  what  is  lacking,  cer¬ 
tainly  in  the  private  sector,  is  any  agreement  on  what 
level  of  assurance  is  required  for  what  type  of  transac¬ 
tion  or  access.  To  the  extent  that  this  lack  of  agreement 
leaves  critical  resources  inadequately  protected  raises 
significant  cyber  security  concerns  as  to  why  there  has 
been  a  failure  to  adopt  standard  LOAs. 

To  some  degree,  cyber  security  identity  may  ben¬ 
efit  from  developments  in  the  e-commerce  and  social 
networking  sectors,  where  identity  and  authentication 
are  hot  topics.  Online  service  providers  recognize  that 
users  dislike  the  complexity  of  maintaining  multiple 
identities,  and  therefore  providers  want  to  streamline 
their  identity  processes.  At  the  same  time,  advertisers 
and  advertising  platforms  see  huge  benefit  from  link¬ 
ing  online  activity  with  offline  or  true  name  identity.11 
As  a  result,  multiparty  efforts  are  underway  to  create 
identification  systems  that  will  work  across  sites,12  and 
individual  companies  such  as  Facebook  are  stepping 
forward  as  universal  commercial  identity  providers.13 
Combining  these  efforts  with  cyber  security  efforts 
might  have  beneficial  network  effects  such  as  the  re¬ 
duction  of  complexity.  However,  these  commercial 
solutions  are  not  likely  to  have  the  proofing  mecha¬ 
nisms  or  implementation  security  required  to  serve  at 
high  LOAs. 

Finally,  authentication  solution  designers  in  the 
commercial  context  have  to  take  into  account  user  ex¬ 
pectations,  since  users  may  abandon  services  that  fail 
to  protect  anonymity  when  users  consider  it  integral 
to  their  use  of  the  service.14  Attempts  to  apply  cyber 
security  authentication  solutions  at  lower  LOAs  may 
face  similar  resistance.15 
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Attribution:  Determining  Identity  after  a 
Transaction. 

Attribution  is  the  analysis  of  information  associ¬ 
ated  with  a  transaction  or  series  of  transactions  to  try 
to  determine  the  identity  of  a  sender  of  a  stream  of 
traffic.  Information  collection  and  analysis  is  the  fo¬ 
cus  of  attribution.  Transaction  design  is  also  relevant 
to  the  extent  that  it  can  help  assure  the  availability  of 
information  to  analyze. 

The  absence  of  an  easy  means  of  identifying  the 
originator  of  malicious  traffic  gives  rise  to  security 
policy  concerns  at  multiple  levels.16  First,  on  a  practi¬ 
cal  level,  the  recipient  of  unwanted  traffic  is  more  lim¬ 
ited  in  its  ability  to  respond  to  the  problem  if  it  cannot 
identify  the  sender  of  that  traffic.  That  recipient  may 
restrict  further  traffic  from  a  given  network  source, 
for  example,  but  will  have  to  regroup  if  the  sender 
re-routes  his  or  her  traffic.  Second,  as  a  matter  of  tort 
and  criminal  law,  it  is  difficult  to  construct  a  legal  case 
against  a  virtual  interloper  without  attribution. 

Third,  as  a  matter  of  international  law,  the  laws 
of  war  demand  both  proportionality  of  response  and 
minimization  of  damage  to  the  property  of  non-ag¬ 
gressors  and  neutral  third  parties.  Even  if  there  were 
a  legal  understanding  of  what  actions  constituted  "cy¬ 
ber  war,"  the  use  of  military  force  would  be  imper¬ 
missible  under  international  law  without  the  ability  to 
determine  the  identity  of  the  aggressor.  Relatedly,  an 
attribution  deficit  reduces  the  effectiveness  of  deter¬ 
rence  as  a  policy  for  discouraging  bad  actors,  whether 
criminal  or  governmental.  American  foreign  policy 
relies  heavily  on  deterrence  in  other  warfighting  spac¬ 
es.  In  cyberspace,  a  lack  of  attribution  may  handicap 
that  reliance.17 


145 


Because  attribution  is  a  forensic  discipline,  the  key 
problems  revolve  around  the  availability,  collection, 
and  analysis  of  information.  There  are  multiple  kinds 
of  relevant  information.  Both  the  malicious  code  itself 
and  associated  communications  metadata  can  offer 
hints  as  to  the  identity  of  the  sender.  Traffic  routing 
information  can  help  trace  communications  back  to 
their  starting  point.  Background  intelligence  can  help 
contextualize  transactional  information. 

Traffic  routing  information  is  particularly  impor¬ 
tant  to  attribution.  Meticulous  attention  to  content  can 
often  remove  traces  of  identity,  but  no  sender  can  es¬ 
cape  the  fundamental  truth  of  routing:  content  has  to 
be  sent  from  somewhere.  As  we  discuss  below,  Inter¬ 
net  protocol  (IP)  addresses  are  a  useful  source  of  iden¬ 
tity  information.  However,  some  policymakers  argue 
that  Internet  transactions  do  not  offer  enough  infor¬ 
mation  about  routing  and  that  changes  in  routing  sys¬ 
tems  and/ or  networks  must  produce  additional  infor¬ 
mation  for  attribution.18  Other  experts  warn,  however, 
that  network-level  personal  attribution  is  of  limited 
forensic  value.  David  D.  Clarke  and  Susan  Landau, 
for  example,  argue  that,  rather  than  issuing  calls  for 
better  attribution  on  the  network,  applications  should 
be  designed  that  do  a  better  job  of  integrating  iden¬ 
tity  and  attribution  when  and  only  when  it  is  actually 
necessary.19 

Increasing  the  ease  of  attribution  may  have  unin¬ 
tended  consequences.  Re-engineering  traffic  routing 
for  all  Internet  transactions  will  challenge  privacy  and 
anonymity,  including  in  situations  in  which  privacy 
and  anonymity  are  in  the  best  interests  of  the  United 
States  and  other  democratic  countries.20  In  contrast, 
some  regimes  have  demonstrated  an  interest  in  us¬ 
ing  Internet  attribution  as  a  means  of  controlling  dis- 
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sidents'  access  to  information  online.21  In  addition,  if 
attribution  solutions  require  Internet  service  provid¬ 
ers  to  invest  more  heavily  in  specialized  hardware  or 
software,  they  may  indirectly  raise  barriers  to  entry 
for  new  Internet  services.  Increasing  attribution  may 
also  substantially  affect  policy  efforts  aimed  at  giv¬ 
ing  consumers  greater  control  over  the  compilation 
of  online  profiles.22  Weighing  these  consequences 
against  the  cyber  security  benefits  is  a  critical  task  for 
policymakers. 

Authorization  and  Auditing:  Security  Issues 
beyond  Authentication  and  Attribution. 

Although  this  chapter  focuses  on  authentication 
and  attribution,  two  other  issues  closely  relate  to 
identity  and  are  critical  elements  of  any  secure  sys¬ 
tem:  authorization  and  auditing.  Authorization  is  the 
process  by  which  a  given  authenticated  user  identity 
is  associated  with  a  set  of  permissions.  Authorization 
mechanisms  are  used,  for  example,  to  prevent  the  use 
of  low-security  accounts  to  access  high-security  infor¬ 
mation  and  controls.  Policy  interventions  aimed  at  im¬ 
proving  the  technical  security  of  authentication  should 
not  ignore  the  security  of  authorization  mechanisms. 
Indeed,  measures  to  improve  authorization  may  offer 
some  of  the  greatest  benefits  to  cyber  security  at  the 
least  cost  to  other  values. 

Auditing,  meanwhile,  refers  to  two  processes. 
The  first  consists  of  reviewing  a  system  periodically 
to  ensure  that  it  continues  to  function  properly.  The 
second  consists  of  reviewing  a  system  after  it  fails  to 
determine  what  caused  that  failure.  Keeping  adequate 
system  logs  and  reviewing  such  logs  regularly  and 
thoroughly  is  a  critical  security  function.  Unless  sys- 
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terns  are  audited,  many  compromises  will  never  be 
discovered  or  will  not  be  discovered  until  it  is  too  late. 

Though  both  authorization  and  auditing  are  im¬ 
portant,  authentication  and  attribution  pose  especial¬ 
ly  thorny  policy  questions  and  have  been  the  focus  of 
much  recent  debate.  Accordingly,  this  chapter  focuses 
on  authentication  and  attribution  as  the  key  policy 
problems,  although  further  examination  of  authoriza¬ 
tion  and  auditing  is  certainly  justified. 

IDENTITY  AND  THE  INTERNET:  HOW 
AUTHENTICATION  AND  ATTRIBUTION  WORK 
IN  PRACTICE,  AND  WHAT  CONCERNS 
CURRENT  SOLUTIONS  RAISE 

Identity  on  the  Internet:  How  Parties  Exchange 
Identity  Information,  and  What  Information  They 
Exchange. 

The  Internet  is  a  physical  network  of  intercon¬ 
nected  hardware  devices.  Each  device  uses  the  same 
suite  of  protocols,  including  the  IP,  to  communicate. 
To  forward  data,  the  network  of  data  connections  be¬ 
tween  those  physical  devices  relies  on  IP  addresses  — 
"logical"  addresses  —  rather  than  any  information 
about  physical  device  type  or  location.  This  offers  sev¬ 
eral  benefits.  One  is  that  the  individual  networks  that 
make  up  the  Internet  can  interoperate  without  each 
one  having  to  maintain  an  exhaustive  list  of  the  physi¬ 
cal  location  of  every  communications  partner  on  the 
Internet.  Instead,  routing  protocols  allow  networks 
to  determine  which  logical  neighbor  is  closest  to  the 
destination,  and  to  pass  data  along  to  that  device.  Not 
until  the  last  step  does  the  recipient's  physical  location 
matter.  Another  benefit  is  that  physical  devices  of  all 
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kinds  can  join  the  Internet  without  having  to  adhere 
to  a  particular  hardware  specification.  As  long  as  a  de¬ 
vice  can  run  the  protocols,  it  can  exchange  data  with 
other  devices. 

IP  addresses  are  a  key  source  of  identity  infor¬ 
mation  exchanged  with  every  Internet  packet.  As 
IP  addresses  are  logical,  not  physical,  they  are  not 
permanently  tied  to  any  particular  user  or  machine. 
However,  they  do  provide  useful  identity  signifiers. 
Blocks  of  addresses  are  generally  assigned  to  busi¬ 
nesses  and  Internet  service  providers  (ISPs)  and  then 
leased  to  individual  users.23  On  its  own,  an  IP  address 
can  often  identify  the  country  of  origin  and,  depend¬ 
ing  on  how  the  owner  of  a  block  assigns  addresses, 
perhaps  a  region,  a  city  or  neighborhood,  or  even  a 
particular  location.  Moreover,  at  any  given  moment, 
every  IP  address  in  use  is  known  by  the  ISP  to  be 
linked  to  a  particular  device  or  a  particular  physical 
address,  which  can  be  determined  with  the  coopera¬ 
tion  of  the  Internet  service  provider.  Though  the  ISP 
may  not  always  be  able  to  map  an  IP  address  directly 
to  an  end-user  device  (e.g.,  when  a  user  is  connecting 
through  a  wireless  router),  it  can  point  an  investigator 
in  the  right  direction.  As  a  result,  IP  addresses  can  be 
very  useful  in  locating  the  origin  of  traffic. 

The  IP  suite  also  requires  that  additional  routing 
information  be  exchanged  in  Internet  transactions. 
While  this  information  does  not  relate  directly  to  the 
identity  of  the  transaction  partners,  it  can  be  indirectly 
useful  in  identifying  a  sender.  For  example,  packets 
contain  a  "time  to  live"  (TTL)  field,  which  counts 
down  the  number  of  routing  hops  that  the  packet  has 
taken  from  source  to  destination.  The  TTL  field  can 
sometimes  be  useful  in  helping  to  determine  how  dis¬ 
tant  the  originator  of  a  given  stream  of  traffic  is  from 
his  or  her  target. 
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The  last  type  of  information  contained  within  al¬ 
most  all  Internet  packets  is  content,  which  can  also  be 
useful  in  attribution.  Individual  packets  of  informa¬ 
tion  may  bear  hallmarks  of  their  origin  or  traces  of 
data  from  their  sender.  Natural  language  contents  may 
be  written  in  a  particular  foreign  language  or  show 
evidence  of  having  been  written  using  a  language- 
specific  keyboard  layout.  Exploits  and  other  forms  of 
malicious  code  may  contain  stylistic  signatures  associ¬ 
ated  with  a  particular  user  or  group.  Analysis  of  such 
content,  however,  is  inevitably  ad  hoc. 

Aside  from  these  general  sources  of  identifying  in¬ 
formation  available  within  all  Internet  traffic  streams, 
there  are  also  information  sources  specific  to  authenti¬ 
cated  transactions.  For  example,  many  online  services 
require  their  users  to  authenticate  themselves,  which 
often  provides  a  reliable  means  of  identifying  commu¬ 
nicants.  Generally,  commercial  services  design  their 
own  authentication  protocols.  Given  the  many  classes 
of  services  that  require  authentication— financial  in¬ 
stitutions,  merchants,  and  so  on— there  are  many  dif¬ 
ferent  authentication  protocols.  The  most  common  au¬ 
thentication  paradigm  for  services  involves  setting  up 
an  encrypted  connection  to  the  user  using  a  one-time 
key,  requesting  authenticators24  from  that  user  to  es¬ 
tablish  identity,  and  then  allowing  the  authenticated 
user  access  to  the  service. 

Authentication  may  be  performed  by  a  third  par¬ 
ty  (the  issuing  party),  with  credentials  subsequently 
passed  to  the  service  provider  (the  relying  party),  or 
the  service  provider  may  perform  the  authentication 
itself.25  In  the  first  case  (the  "triangle  model"),  the  rely¬ 
ing  party  redirects  the  user  login  to  the  issuing  party, 
which  authenticates  the  user  and  then  returns  a  token 
establishing  the  user's  credentials  to  use  the  service 
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provider  site.  One  example  of  the  triangle  model  is 
Facebook  Connect,  a  service  allowing  users  to  lever¬ 
age  their  Facebook  identifications  (IDs)  to  log  into  oth¬ 
er  sites.  More  sophisticated  issuing  parties  may  even 
handle  authorization,  returning  a  token  that  not  only 
authenticates,  but  also  specifies  which  services  a  user 
may  use.  In  the  second  case,  the  service  provider  han¬ 
dles  the  authentication  and  authorization  directly.  An 
example  of  this  bilateral  model  would  be  Apple's  web 
services,  which  require  that  users  establish  accounts 
directly  with  Apple,  and  then  authenticate  directly  to 
Apple  itself. 

Entities  that  rely  on  identities  issued  by  others 
possess  the  local  account  ID  of  the  user  — perhaps  a 
real  name,  perhaps  not— but  not  information  about 
additional  authenticators,  such  as  passwords  or  infor¬ 
mation  obtained  through  proofing.  The  issuing  party 
possesses  that  latter  information.  Service  providers 
who  use  the  bilateral  model  have  all  the  information 
collected  during  both  the  initial  proofing  step  and  the 
authentication  step. 

Cyber  Security  Concerns:  Problems  with 
Existing  Exchanges  and  Areas  of  Possible  Policy 
Intervention. 

Authentication  Concerns. 

Critical  infrastructure  is  lagging  in  the  adoption 
of  secure  authentication,26  but  this  does  not  seem  to 
be  due  to  any  technological  issues.  There  appears  to 
be  general  consensus  that  the  available  technologi¬ 
cal  means  of  authentication  are  sufficiently  secure  to 
protect  information.27  Under  that  assumption,  then, 
the  most  important  policy  issues  in  authentication 


151 


are  ensuring  that,  first,  critical  infrastructure  appro¬ 
priately  adopts  these  technologies  and,  second,  that 
critical  infrastructure  authorities  properly  implement 
these  technologies  to  minimize  the  possibility  of  com¬ 
promise  from  human  error.  Adoption  within  critical 
infrastructure  may  be  slowed  by  the  lack  of  product 
metrics,  the  absence  of  agreement  on  what  level  of  as¬ 
surance  is  appropriate  for  a  given  context,  the  dearth 
of  information  about  cyber  security  risks  and  their 
costs,  and  poorly  designed  incentives  for  the  adoption 
of  improvements.  Fundamental  ease-of-use  problems 
with  identity  technologies  also  exist,  which  may  re¬ 
quire  additional  innovation. 

One  barrier  to  adoption  may  be  the  absence  of 
metrics  surrounding  the  use  of  authentication  tech¬ 
nologies.  The  average  system  administrator  may  not 
understand  the  relative  merits  of  one  technology  or 
product  over  another.  Product  metrics  that  made 
comparison  across  technologies  or  products  simpler 
could  improve  the  ability  of  information  technology 
(IT)  professionals  to  understand  tradeoffs. 

A  second  adoption  barrier  may  be  the  absence  of 
recognized  levels  of  assurance  for  any  given  level  of 
access  or  permission.  Does  a  utility  control  system 
require  more  protection  than  a  bank?  Do  different 
banking  systems  or  functions  require  different  levels 
of  protection?  If  businesses  knew  which  LOA  was  ap¬ 
propriate  for  a  given  system  or  function,  they  would 
have  a  common  language  with  which  to  decide  what 
level  of  security  is  appropriate.  In  turn,  those  levels  of 
assurance  can  help  make  the  creation  of  metrics  easier 
as  well,  by  allowing  product  security  ratings  to  refer 
to  LOAs.28  To  address  these  concerns,  further  work 
could  be  done  to  define  appropriate  LOAs  for  differ¬ 
ent  private  sector  systems.  In  particular,  LOAs  that 
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are  more  granular  than  the  existing  four-level  govern¬ 
ment  LOAs  might  help  to  speed  adoption,  given  that 
security  needs  have  many  different  dimensions  across 
the  full  range  of  American  industry. 

A  third  potential  barrier  to  adoption  of  authentica¬ 
tion  technologies  is  part  of  a  broader  cyber  security 
concern:  information  sharing.  Owners  and  users  of 
information  infrastructure  may  not  understand  their 
own  vulnerabilities.29  Without  additional  informa¬ 
tion  connecting  security  failures  with  their  ultimate 
costs,  companies  are  unlikely  to  invest  in  better  cy¬ 
ber  security,  and,  by  extension,  better  authentication 
mechanisms. 

Finally,  even  with  better  information,  institutions 
may  not  have  proper  incentives  to  invest  in  measures, 
such  as  better  authentication,  that  improve  cyber  se¬ 
curity.  Some  contend  that  cyber  security  is  a  public 
good  and  that  the  private  sector  may  routinely  under¬ 
spend:  the  costs  of  security  expenditures  go  directly 
to  the  bottom  line,  but  the  economic  consequences  of 
breaches  are  diffuse.30  Under  this  theory,  unless  more 
of  the  costs  of  security  failures  transfer  to  the  institu¬ 
tions  that  fail  to  invest  in  security,  adoption  of  authen¬ 
tication  technologies  will  continue  to  lag. 

Convincing  critical  infrastructure  to  adopt  appro¬ 
priate  authentication  measures  is  only  part  of  the  battle 
for  better  authentication.  The  designers  of  authentica¬ 
tion  products  also  need  to  focus  on  making  those  mea¬ 
sures  easy  to  use  without  reducing  their  effectiveness. 
Flaws  in  protocols  and  software  implementations  are 
sometimes  used  to  foil  authentication  mechanisms, 
and  authentication  manufacturers,  like  all  software 
manufacturers,  need  to  address  those  issues  as  they 
arise.  However,  the  bigger  threat  comes  from  user  er¬ 
ror.  Through  the  misappropriation  of  authenticators, 
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malicious  actors  can  gain  access  to  resources  they  are 
otherwise  unauthorized  to  use.  This  information  is  of¬ 
ten  exposed  by  the  weakest  link  in  the  authentication 
chain:  the  individual  user. 

One  way  to  address  this  problem  might  be  to  in¬ 
crease  the  interoperability  of  credentials.  When  us¬ 
ers  have  a  need  to  access  dozens  of  online  retailers 
and  remote  servers,  each  with  its  own  authentication 
mechanism,  the  obvious  temptation  is  to  create  mne¬ 
monics:  either  to  duplicate  authenticators  across  pro¬ 
viders  (e.g.,  use  the  same  username  and  password  in 
multiple  places)  or  to  store  authenticators  in  an  easily 
accessible  location  (e.g.,  put  passwords  in  a  text  file  on 
a  user's  desktop).31  Such  mnemonic  solutions  weaken 
the  strength  of  authentication  measures.  If  malicious 
actors  can  steal  lists  of  authenticators  from  systems 
with  weak  protections  or  pull  a  stored  list  of  authenti¬ 
cators  off  a  user  machine,  they  can  use  the  authentica¬ 
tors  to  compromise  a  high-security  target.  It  is  easier 
to  avoid  mnemonics  when  a  user  authenticates  to  a 
single  identity  provider,  and  that  provider  in  turn  of¬ 
fers  the  user's  credentials  to  each  relying  party.  On  the 
other  hand,  the  compromise  of  an  authenticator  used 
across  multiple  services  can  have  widespread  conse¬ 
quences.  Too  much  centralization  can  be  as  dangerous 
as  too  little.  As  noted  above,  the  commercial  identi¬ 
ties  most  likely  to  develop  toward  interoperability 
are  unlikely  to  be  useful  in  truly  sensitive  contexts. 
It  is  important,  therefore,  that  interoperable  systems 
intended  to  address  these  problems  are  implemented 
properly:  technically  secure,  privacy-protective,  and 
with  appropriate  provisions  for  multiple  providers 
and  for  anonymous  and  pseudonymous  identification 
at  low  LOAs.32 
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The  most  important  ease  of  use  concern,  how¬ 
ever,  may  be  reducing  the  possibility  of  compromise 
through  social  engineering  and  other  forms  of  intel¬ 
ligence  collection.  Social  engineering  —  the  act  of  ma¬ 
nipulating  users  into  turning  over  confidential  infor¬ 
mation  such  as  authenticators  — is  a  key  component 
of  many  attacks  on  authentication  mechanisms.  By 
socially  engineering  users  or  otherwise  collecting  in¬ 
formation  on  those  users,  malicious  actors  obtain  or 
recreate  those  users'  authenticators  without  having 
to  crack  the  authentication  system  itself.  Striking  the 
proper  balance  between  usability  and  security  is  a  key 
part  of  ensuring  that  authentication  measures  provide 
the  expected  amount  of  security.33 

Attribution  Concerns. 

Even  though  IP  addresses  can  help  to  determine 
physical  location  in  many  cases,  they  often  fail  to  map 
traffic  to  a  physical  identity.  Moreover,  malicious  ac¬ 
tors  have  developed  techniques  that  allow  them  to 
obscure  their  logical  identity  when  sending  traffic  to 
a  target.  Such  techniques  include  identity-stripping, 
multistage  attacks,  and  multistep  attacks.34  In  order  to 
battle  these  techniques,  attributors  would  need  addi¬ 
tional  information.  This  information  could  come  from 
two  sources:  the  collection  and  sharing  of  existing  in¬ 
formation  between  networks  on  the  larger  Internet, 
and  the  creation  and  collection  of  additional  informa¬ 
tion  connecting  both  logical  and  physical  identities  to 
incoming  traffic. 

Although  IP  addresses  can  be  helpful  in  narrowing 
down  a  communicant's  location,  an  Internet-facing 
IP  address  does  not  easily  map  to  a  particular  user. 
In  various  situations,  users  connect  to  the  Internet 
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through  systems  using  Network  Address  Translation 
(NAT).  Such  systems  pool  traffic  on  an  internal  net¬ 
work  and  stream  it  out  to  the  Internet  using  a  single 
Internet-facing  IP  address.  These  systems  may  or  may 
not  retain  a  history  of  the  devices  that  used  the  service. 
Users  can  also  move  from  local  system  to  local  system 
while  continuing  to  communicate  with  a  traffic  recipi¬ 
ent,  which  provides  another  way  to  change  their  IP 
addresses.  Even  when  records  from  the  right  location 
at  the  right  time  can  be  found,  they  are  likely  to  map 
only  to  a  physical  hardware  address,  not  a  physical 
user  identity.35 

Sophisticated  malicious  actors  take  steps  to  make 
attribution  through  logical  addresses  even  more 
difficult.  When  a  given  attack  does  not  depend  on 
two-way  communication,  as  when  a  malicious  actor 
attempts  to  shut  down  a  system  by  flooding  it  with 
traffic  (a  distributed  denial  of  service  attack  [DDoS]), 
that  sender  may  work  to  remove  IP  addresses  from 
incoming  packets  to  stymie  efforts  at  attribution.  At 
that  point,  attributors  must  trace  step-by-step  back 
through  packet  logs  that  may  or  may  not  exist,  and 
that  are  often  not  on  machines  controlled  by  the  re¬ 
cipient,  in  order  to  find  the  packets'  origin. 

Even  when  an  attack  does  require  two-way  com¬ 
munication,  a  sender  may  disguise  his  logical  identity 
in  other  ways.  Multistage  attacks,  for  example,  route 
through  large  numbers  of  servers  and/or  through 
networks  of  compromised  computers  (botnets).  By 
issuing  commands  with  several  intermediate  recipi¬ 
ents  between  source  and  destination,  the  control¬ 
ler  again  requires  a  prospective  attributor  to  trace 
control  information  back  through  those  routes.  That 
path  will  likely  include  machines  that  are  not  part  of 
the  recipient's  network  and  that  are  beyond  the  easy 
reach  of  investigators  in  the  country  where  the  recipi- 
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ent  resides.  Many  multistage  attacks  also  take  place 
in  several  temporally  distinct  steps.  In  other  words, 
over  a  long  period  of  time,  individual  machines  may 
be  compromised,  and  the  resident  malicious  software 
will  lie  dormant  until  activated  by  a  controller.  Such 
multistep  attacks  can  make  finding  the  original  send¬ 
er  even  more  difficult,  because  information  required 
to  trace  the  traffic  back  to  its  origin  may  not  have 
been  retained. 

These  malicious  techniques  rely  on  the  proposi¬ 
tion  that  tracing  traffic  through  multiple  networks  is 
difficult.  One  possible  policy  intervention,  then,  is  to 
increase  the  ease  with  which  data  are  shared  between 
networks  and  between  machine  owners.  However, 
the  number  of  entities  that  potentially  hold  relevant 
routing  data  is  very  large,  consisting  of  essentially 
every  computer  connected  to  the  Internet.  Creating 
a  trusted  network  for  information  sharing  even  just 
among  the  community  of  ISPs  has  not  proven  feasible 
yet,  especially  when  service  providers  are  in  different 
countries.  "[Cooperation  among  institutions  that  pos¬ 
sess  this  data  has  been  slow  to  emerge"  for  a  number 
of  reasons. 36 

As  with  the  slow  adoption  of  authentication  mech¬ 
anisms,  incentives  may  be  part  of  the  problem.37  Those 
who  possess  relevant  data  may  not  suffer  enough  di¬ 
rect  damage  to  make  information  sharing  a  priority. 
Legal  barriers  to  information  sharing  between  ISPs 
may  also  play  a  role.  ISPs  may  fear  that  sharing  such 
information  will  run  afoul  of  federal  laws  on  the  pri¬ 
vacy  of  communications  data.38  Cautious  legal  counsel 
may  advise  against  testing  the  boundaries  of  the  law. 
Finally,  there  may  also  be  technical  barriers.  Some 
routers  may  not  currently  possess  the  capabilities 
required  to  store  traffic  information  for  a  significant 


157 


length  of  time,  or  to  perform  more  advanced  monitor¬ 
ing  of  traffic. 

Once  domestic  barriers  are  addressed,  the  more 
challenging  problem  of  sharing  traffic  information 
across  international  borders  remains.  Law  enforce¬ 
ment  agencies  such  as  the  Federal  Bureau  of  Inves¬ 
tigation  (FBI)  do  work  across  borders  to  track  cyber¬ 
criminals,  and  several  Western  nations  have  ratified 
the  Budapest  Convention,  a  framework  for  sharing 
information  related  to  online  crime.39  However,  at¬ 
tempts  to  create  a  legal  framework  that  reaches  more 
countries  and  covers  a  wider  range  of  cyber  security 
incidents  have  not  progressed.40  Cyber  attacks  cross 
and  re-cross  borders  before  reaching  their  targets.  So 
long  as  some  nations  fall  outside  the  network  of  coop¬ 
eration,  attribution  may  not  be  able  to  proceed  further 
than  determining  a  country  of  origin. 

Going  beyond  attempts  to  increase  information  ex¬ 
changes,  policies  could  also  attempt  to  create  entirely 
new  information  trails.  The  simplest  means  of  doing 
so  would  be  to  implement  some  of  the  authentication- 
oriented  changes  discussed  in  the  previous  section. 
Attribution  is  only  possible  where  there  is  information 
to  audit;  instituting  new  and  stronger  authentication 
and  authorization  mechanisms  with  associated  audit¬ 
ing  capabilities  and  deploying  them  to  critical  systems 
creates  that  information.  Building  attribution  capabili¬ 
ties  into  authentication  systems  is  part  of  the  classic 
network  identity  and  security  paradigm  known  as 
authentication,  authorization,  and  accountability 
(AAA).41  Computer  security  experts  use  authentica¬ 
tion  mechanisms  to  establish  the  acceptability  of  an 
identity  and  authorization  mechanisms  to  associate 
it  with  actions.  Then,  through  an  accounting  and  log¬ 
ging  system,  these  mechanisms  provide  records  for 
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investigators  to  retroactively  check  that  identity's  use 
of  the  system  — in  other  words,  to  attribute  actions. 

More  fundamental  technological  changes  might 
include  generating  more  information  about  traffic  as 
part  of  the  routing  process,  linking  logical  identity 
more  tightly  to  traffic,  and  even  tying  physical  iden¬ 
tity  to  logical  identity  through  some  sort  of  registra¬ 
tion  process.  All  of  these  methods  would  create  at 
least  some  additional  information  useful  to  attribu- 
tors,  but  the  barriers  to  uniform  global  cooperation 
are  very  high,  and  the  associated  technologies  could 
also  be  subverted  by  sophisticated  malicious  actors. 
Putting  such  changes  into  place,  though,  would  also 
have  moderate-to-severe  consequences. 

PROPOSED  SOLUTIONS  TO  CYBER 
SECURITY  IDENTITY  PROBLEMS: 

WEIGHING  THE  OPTIONS 

Suggestions  for  solving  cyber  security  identity 
problems  are  numerous.  This  final  section  lays  out 
some  proposals  that  have  been  raised  in  various  leg¬ 
islative,  technical,  and  diplomatic  forums:  first  those 
aimed  at  authentication  issues  and  then  those  aimed 
at  attribution  issues.  This  section  briefly  discusses 
some  of  the  strengths  and  weaknesses  of  each  pro¬ 
posal  and  also  sheds  light  upon  any  significant  effects 
that  policy  interventions  may  have  in  areas  beyond 
cyber  security.  Ultimately,  the  section  concludes  that 
authentication-oriented  proposals  are  more  likely  to 
create  substantial  security  benefits  and  less  likely  to 
result  in  undesirable  consequences  for  other  values 
than  attribution-oriented  proposals,  and  that  policy¬ 
makers  should  strongly  consider  less  coercive  means 
of  increasing  the  uptake  of  successful  authentication 
technologies  before  turning  to  regulatory  solutions.42 
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Authentication-Related  Policy  Proposals. 

•  Specify  or  improve  cyber  security  standards, 
levels  of  assurance  for  private-sector  systems, 
and/or  metrics  for  authorization  products.  The 

creation,  improvement,  and  adoption  of  secu¬ 
rity  standards  and  metrics  for  both  systems  and 
products  can  help  prioritize  the  deployment  of 
strong  authentication  where  it  is  most  needed. 
Such  standards  could  be  developed  through 
various  processes,  involving  more  or  less  gov¬ 
ernmental  involvement,  and  their  adoption 
could  be  promoted  by  a  variety  of  means.  The 
White  House  has  suggested  that  a  federally 
guided  process  for  developing  LOAs  and  met¬ 
rics  would  help  fill  important  gaps.43 

Withoutprioritization,anymovementtoward 
greater  authentication  could  be  chaotic,  so 
better-defined  LOAs  and  metrics  would 
help  focus  efforts  toward  securing  critical 
infrastructure  first.  Ideally,  standards  and 
metrics  would  be  industry-created,  given 
the  superior  understanding  of  authentica¬ 
tion  system  design  in  the  private  sector. 
Government-created  standards  or  metrics 
run  a  risk  of  ossifying  authentication  system 
design  because  of  their  potential  inflexibility. 
Given  the  information  deficit  in  the  private 
sector  regarding  the  nature  of  the  cyber  se¬ 
curity  threat,  however,  government  collabo¬ 
ration  in  standards  design  in  some  capacity 
seems  appropriate. 
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•  Mandate  authentication  mechanisms  for  criti¬ 
cal  infrastructure.  It  may  not  be  sufficient  to 
wait  for  owners  to  comply  voluntarily  with 
suggested  government  levels  of  assurance.44 
Multiple  cyber  security  bills  put  forward  in 
in  a  recent  session  of  Congress  considered  the 
imposition  of  regulatory  standards  on  critical 
infrastructure  systems,  authority  that  could  en¬ 
compass  standards  for  authentication.45 

Regulation  may  be  capable  of  pushing 
strong  authentication  standards  onto  critical 
infrastructure  farther  and  faster  than  merely 
voluntary  standards  and  LOAs,  assuming 
that  the  designated  regulator  issues  regula¬ 
tions  in  a  timely  manner  and  with  sufficient 
specificity.  At  the  same  time,  regulation  in 
highly  technical  areas  like  information  secu¬ 
rity  can  slow  innovation  and  hold  back  the 
adoption  of  new  and  better  security  mecha¬ 
nisms.  Moreover,  before  critical  industries 
can  be  regulated,  they  must  be  defined;  some 
of  the  recent  bills  are  vague  on  what  systems 
should  be  covered.46 

Separately,  the  mandating  of  authentication 
may  stifle  both  innovation  and  free  speech 
rights  unless  "critical  infrastructure"  is  care¬ 
fully  delimited.  While  multifactor  authenti¬ 
cation  may  be  desirable  for  some  factories 
and  power  plants,  it  is  inappropriate  for  the 
government  to  demand  that  many  other  net¬ 
worked  systems,  such  as  communications 
networks,  authenticate  their  users.  Anonym¬ 
ity  is  a  core  free  speech  value,47  and  main¬ 
taining  the  right  to  anonymity  in  online  com¬ 
munication  is  critical  to  keeping  that  right 
vital  in  the  digital  age. 
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•  Increase  the  costs  to  various  parties  of  breaches 
caused  by  the  failure  to  take  sufficient  security 
measures.  Increasing  the  costs  of  an  avoidable 
security  failure  to  the  responsible  ISP,  network 
service  provider,  security  software  provider,  or 
system  operator  would  increase  those  parties' 
willingness  to  take  steps  to  improve  authenti¬ 
cation.  Cost  increases  could  come  in  the  form  of 
regulatory  fines  for  breach  or  in  tort  damages  to 
affected  parties.  Legal  scholars  have  suggested 
various  ways  to  shift  cost.48 

As  a  practical  matter,  such  approaches  may 
be  difficult  to  implement  because  of  the 
complexities  of  determining  causation  in 
cyber  security  breach  cases,49  as  well  as  the 
difficulties  of  defining  a  standard  of  care. 
These  uncertainties,  compounded  by  in¬ 
nate  difficulties  in  predicting  outcomes  in 
the  court  system  or  in  regulatory  processes, 
may  also  cause  innovation  in  security  tech¬ 
nologies  to  slow  as  service  providers  choose 
only  those  technologies  that  are  court-  or 
regulator-approved. 

•  Enhance  federal  compatibility  with  com¬ 
mercial  identity  infrastructure.  It  has  been 
proposed  that  security  in  the  consumer  and 
e-government  contexts  could  improve  by  en¬ 
hancing  the  interoperability  of  identity.  This  is 
a  major  theme  of  the  draft  National  Strategy  for 
Trusted  Identities  in  Cyberspace  (NSTIC).50 

While  the  NSTIC  is  premised  on  the 
principle  that  the  private  sector  should  have 
the  lead  in  the  development  of  identities  for 
access  to  online  services,  the  federal  gov- 
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ernment  might  be  able  to  speed  adoption 
of  interoperable  credentials  by  relying  on 
commercially  issued  identities  for  authen¬ 
ticated  transactions  with  government  agen¬ 
cies.  The  White  House  strategy  recognizes 
that  over-centralization  of  identity  data 
poses  privacy  risks.  Among  other  things, 
identity  providers  could  have  a  broad  win¬ 
dow  into  online  behavior.  The  White  House 
proposal  calls  for  an  identity  ecosystem  that 
would  allow  users  to  move  freely  between 
identity  providers.51 

Attribution-Related  Policy  Proposals. 

•  Improve  domestic  sharing  of  cyber  attack-re¬ 
lated  information.  Attack  traceback  is  a  critical 
component  of  attribution  and  of  information¬ 
sharing  facilitates  that  traceback.  The  sharing 
of  cyber  security  information  between  ISPs  and 
other  network  operators  in  the  United  States  is 
thus  an  important  step  in  malicious  code  analy¬ 
sis  and  attack  prevention,  not  least  because  it 
pools  information  about  attacks  that  can  lead 
to  attribution.  The  major  service  providers  and 
network  backbone  providers  already  share 
some  information,  but  have  floated  proposals 
that  would  allow  them  to  share  more.52 

Improving  information  sharing  may  require 
amendments  to  existing  electronic  privacy 
laws,  and  creating  or  expanding  cyber  se¬ 
curity  information-sharing  exceptions  will 
inevitably  pose  privacy  concerns.  Narrowly 
tailoring  any  new  exception  could  help  to 
minimize  the  impact  on  privacy. 
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•  Improve  international  sharing  of  cyber  attack- 
related  information.  Information  sharing  is  es¬ 
pecially  important  when  international  traffic  is 
involved;  sharing  across  borders  is  the  only  re¬ 
liable  way  to  attribute  traffic  to  foreign  end  us¬ 
ers.  The  Budapest  Convention  on  Cybercrime 
recognizes  this  importance:  of  the  seven  articles 
that  contain  specific  obligations  for  parties,  six 
require  cooperation  in  data  retention  and  infor¬ 
mation  sharing,  and  the  seventh  requires  a  24- 
hour  point  of  contact  for  data  requests.53  How¬ 
ever,  implementation  to  date  has  been  limited; 
even  between  signatories,  sharing  is  not  swift 
or  guaranteed.54  Broader  ratification  of  the  con¬ 
vention  and  the  adoption  of  a  protocol  giving 
more  specificity  to  information-sharing  obliga¬ 
tions  might  help. 

However,  internationalinformation-sharing 
frameworks  that  are  not  carefully  designed 
or  do  not  include  adequate  standards  risk 
both  inadvertent  or  unjustified  sharing  of 
Americans'  private  data  with  overseas  enti¬ 
ties  and  the  possibility  that  American  com¬ 
panies  may  need  to  participate  in  enforcing 
foreign  laws  in  contravention  of  U.S.  foreign 
policy  goals.  Since  a  large  percentage  of 
the  world's  Internet  traffic  passes  through 
the  United  States,  a  large  share  of  the  bur¬ 
den  of  improved  information  sharing  might 
fall  on  U.S.-based  service  providers.  In  a 
larger  national  security  framework,  rules 
that  guaranteed  information  sharing  could 
undesirably  tie  American  hands,  given  our 
reported  advantages  in  cyber  offense  and 
cyber  exploitation.55 
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•  Institute  IP  traceback  mechanisms  on  a  vol¬ 
untary  or  mandatory  basis.  Some  technologi¬ 
cal  solutions  to  the  attribution  information 
deficit  have  been  discussed.  One  set  of  solu¬ 
tions  involves  the  implementation  of  IP  trace- 
back  mechanisms,  which  require  routers  and/ 
or  other  intermediaries  between  the  sender  and 
recipient  of  a  stream  of  traffic  to  send  signals 
periodically  to  the  recipient.  In  theory,  the  re¬ 
cipient  will  ultimately  hear  from  many  points 
along  the  path  that  the  traffic  has  traveled, 
which  will  assist  in  reconstructing  the  path 
from  source  to  destination. 

There  have  been  a  number  of  proposals  for 
performing  IP  traceback  without  redesign¬ 
ing  fundamental  network  protocols.56  As  of 
May  2008,  a  working  group  at  the  Interna¬ 
tional  Telecommunications  Union  (ITU)  was 
attempting  to  create  a  unified  IP  traceback 
standard  for  telecommunications  equip¬ 
ment  manufacturers.57  The  intermediary 
use  of  ITU-standards-compliant  routers  is 
voluntary.  A  regulatory  process  for  critical 
infrastructure,  as  proposed  in  some  cyber 
security  bills,  could  make  it  mandatory  on  a 
domestic  basis  but,  as  with  other  solutions 
requiring  cross-border  implementation,  the 
problems  of  international  adoption  remain 
daunting.  Also,  IP  traceback  mechanisms  be¬ 
yond  simple  logging  have  seen  only  limited 
use  in  the  real  world.  They  may  be  highly 
effective  or  trivially  avoidable. 

To  the  extent  that  IP  traceback  is  effective,  it 
would  provide  a  powerful  tool  to  attributors. 
It  will  also  present  a  barrier  to  the  privacy 
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and  anonymity  of  users  vis-a-vis  both  gov¬ 
ernments  and  ISPs.  While  not  as  dangerous 
as  full-on  authentication  for  all  communica¬ 
tions  networks,  IP  traceback  still  provides 
intermediaries  with  enough  technical  know¬ 
how  a  way  to  trace  "undesirable"  speech. 
This  would  be  a  powerful  tool  for  govern¬ 
ments  interested  in  tracking  and  stifling 
dissenters. 

For  example,  as  the  recent  revolutions  in 
Egypt  and  Libya  demonstrated,  the  Internet 
is  invaluable  for  organizing  and  for  circum¬ 
venting  government  control  of  other  com¬ 
munications  channels.58  One  critical  com¬ 
ponent  of  dissidents'  online  activities  has 
been  the  use  of  tools  designed  to  circumvent 
government  surveillance,  many  of  which  are 
financed,  in  part,  by  the  U.S.  Government.59 
Traceback  mechanisms  threaten  the  use  of 
those  tools  and  the  safety  of  those  activists. 

•  Readdress  the  Internet  along  geographical 
lines.  As  the  Internet  moves  from  an  older 
version  of  the  IP  (IPv4)  to  a  newer  one  (IPv6), 
there  may  be  an  opportunity  to  map  logical  ad¬ 
dresses  more  closely  to  physical  addresses.  The 
larger  address  space  of  IPv6  may  make  it  easier 
to  permanently  associate  some  subset  of  physi¬ 
cal  devices  with  fixed  logical  addresses.  It  also 
provides  a  rare  chance  to  reconsider  the  proce¬ 
dures  for  assigning  addresses.  At  least  one  ITU 
proposal  has  suggested  that  IPv6  addresses 
be  assigned  along  geographical  lines.60  Again, 
achieving  consistent  international  implemen¬ 
tation  seems  unlikely,  especially  when  certain 
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government  agencies  themselves  would  likely 
resist  being  reliably  identified. 

Pinning  logical  addresses  to  devices  and/ or 
assigning  them  geographically  would  assist 
in  attribution,  although  careful  safeguards 
would  have  to  be  in  place  to  avoid  the  falsi¬ 
fication  of  addresses  (spoofing).  Any  strong 
link  between  IP  and  physical  devices  might 
assist  in  the  persistent  tracking  of  the  user  of 
that  device,  even  over  multiple  Internet  ses¬ 
sions,  which  raises  privacy  and  free  speech 
concerns  similar  to  those  discussed  in  the 
previous  section. 

•  Engineer  more  identity  information  into  pack¬ 
ets.  Some  technologists  have  also  proposed 
redesigning  the  IP  or  other  base  protocols  to 
carry  more  reliable  identity  information  about 
the  sender  within  each  packet.  The  simplest 
proposals  in  this  area  merely  attempt  to  alter 
routing  information  to  make  spoofing  of  logical 
addresses  more  difficult.61  Others  add  device- 
identifying  signatures  directly  to  each  packet.62 
Some  policymakers  have  even  implied  that 
each  packet  should  link  to  identity  information 
about  the  user  rather  than  that  user's  device, 
presumably  through  some  sort  of  authentica¬ 
tion  mechanism.63 

Technologists  argue  that  user-focused 
proposals,  in  particular,  are  only  marginally 
helpful  in  solving  attribution  problems.64 
Both  user-  and  device-oriented  changes  to 
IPs  raise  market  action,  innovation,  and 
civil  liberties  issues.  Only  heavy  subsidies  or 
heavy  regulation  will  persuade  institutions 
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and  individuals  to  give  up  their  existing 
Internet  devices.  Any  Internet-like  network 
that  has  identity-storing  gatekeepers  is  also 
a  network  with  significantly  higher  barriers 
to  entry  for  innovators,  who  may  now  need 
permission  to  operate  their  online  services. 
Such  a  network  would  make  anonymous 
speech  much  more  difficult  and  sharply  re¬ 
duce  online  privacy. 

After  examining  all  of  these  proposals  in  the  con¬ 
text  of  their  security  effects  and  their  effects  in  other 
realms,  it  is  clear  that  there  are  two  major  differences 
between  the  class  of  attribution-oriented  proposals 
and  the  class  of  authentication-oriented  proposals. 
First,  the  civil  liberties  impacts  of  many  of  the  attribu¬ 
tion-oriented  proposals  may  be  heavy  — the  technical 
proposals,  in  particular,  impact  privacy,  free  speech, 
and  anonymity  both  at  home  and  abroad— while  the 
civil  liberties  impacts  of  the  authentication-oriented 
proposals,  if  appropriately  restricted  to  critical  infra¬ 
structure,  are  lighter.  Second,  the  attribution-oriented 
proposals  address  both  the  creation  and  deployment 
of  new  and  unproven  technologies,  while  the  authen¬ 
tication-oriented  proposals  focus  mostly  on  deploy¬ 
ment  alone,  because  existing  authentication  technolo¬ 
gies  are  largely  proven. 

This  suggests  that  given  limited  resources,  policy¬ 
makers  should  focus  heavily  on  authentication-orient¬ 
ed  policies  as  the  more  effective  option  for  addressing 
the  cyber  security  identity  information  deficit.  These 
policies  rely  on  established  successful  technologies 
rather  than  on  unproven  changes  to  the  fabric  of  the 
network,  and  they  carry  fewer  ancillary  concerns  for 
other  national  values  such  as  civil  liberties  and  in- 
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novation.  This  is  so,  in  large  part,  because  they  can 
target  where  needed  rather  than  requiring  broad- 
based  deployment  across  communications  networks, 
and  therefore  the  civil  liberties  penalties  fall  largely 
on  the  limited  subset  of  users  who  access  critical  sys¬ 
tems  rather  than  the  full  spectrum  of  Internet  users. 
Moreover,  authentication  improvements  can  also  help 
address  attribution  concerns  as  they  relate  to  critical 
systems  —  as  part  of  the  AAA  model  of  identity  and  se¬ 
curity,  authentication  can  provide  the  basis  for  better 
auditing,  which  in  turn  can  drive  better  attribution.  By 
ensuring  the  deployment  of  state-of-the-art  authenti¬ 
cation  technologies  to  critical  systems,  policymakers 
may  also  be  able  to  eliminate  a  substantial  portion  of 
the  attribution  problem. 

Separately,  there  is  a  follow-on  question  as  to  the 
right  mix  of  incentives  for  deploying  authentication 
technologies.  Striking  the  right  balance  between  fi¬ 
nancial  incentives,  regulatory  commands,  and  collab¬ 
orative  government-industry  standards-setting  and 
research  should  be  the  key  concern  of  policymakers. 
Given  the  potential  economic  consequences  of  the  top- 
down  regulatory  approach  that  can  backfire,  legisla¬ 
tors  should  promote  incentives  and  collaboration  as 
an  alternative  to  regulation  where  possible. 

CONCLUSION 

Addressing  the  identity  problems  associated  with 
cyber  security  requires  policymakers  to  distinguish 
among  the  various  functions  of  identity  technologies, 
including  authentication  and  attribution.  Many  pro¬ 
posed  solutions  aimed  at  improving  online  identity 
for  cyber  security  purposes  would  impinge  on  other 
values.  As  a  result,  any  attempt  to  intervene  in  online 
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identity  technologies  will  demand  a  careful  balanc¬ 
ing  of  costs  and  benefits,  with  serious  consideration 
given  to  that  intervention's  impacts  upon  civil  liber¬ 
ties,  economic  freedom,  technological  innovation,  and 
global  discourse.  After  considering  these  issues  in  this 
more  global  context,  policymakers  will  find  that  de¬ 
ploying  better  authentication  technologies  to  critical 
infrastructure  is  the  best  first  step  in  cyber  security 
identity  policy. 
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CHAPTER  7 


EXPLORING  THE  UTILITY  OF  OPEN  SOURCE 
DATA  TO  PREDICT  MALICIOUS  SOFTWARE 
CREATION 

George  W.  Burruss 
Thomas  J.  Holt 
Adam  M.  Bossier 

A  version  of  this  chapter  was  presented  at  the  an¬ 
nual  meeting  of  the  American  Society  of  Criminology 
in  2009  in  Philadelphia,  PA,  and  at  the  Department  of 
Defense  Cybercrime  Conference  in  2010  in  St.  Louis, 
MO.  The  authors  thank  Joseph  K.  Young  of  Southern 
Illinois  University,  Carbondale,  for  his  helpful  sug¬ 
gestions  about  an  earlier  draft  of  this  chapter. 

INTRODUCTION 

The  information  security  community  has  devel¬ 
oped  a  variety  of  tools  to  identify  and  defend  against 
malicious  software,  though  few  in  the  social  sciences 
have  explored  the  environmental  and  social  factors 
that  may  affect  the  creation  and  distribution  of  mal¬ 
ware.  This  is  due  in  part  to  the  dearth  of  available  data 
on  the  country  of  origin  of  malicious  software  develop¬ 
ers  and  the  volume  of  tools  created  by  hackers  across 
the  world.  Open  source  malware  repositories  exist  in 
online  environments,  though  it  is  not  clear  how  valid 
or  reliable  this  information  may  be  to  understand  the 
scope  of  malware.  This  chapter  explored  the  value  of 
open  reporting  for  malware  creation  and  distribution, 
and  considered  how  this  information  may  combine 
with  other  measures  to  explore  the  country-level  eco- 
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nomic,  technological,  and  social  forces  that  affect  the 
likelihood  of  malware  creation.  The  findings  will  im¬ 
prove  our  understanding  of  the  value  of  open  source 
data  and  the  prospective  influences  of  macro-level 
computer  crime  and  hacking  in  a  global  context. 

Although  studies  of  cybercrime  have  grown  ex¬ 
ponentially  over  the  last  2  decades,  there  are  multi¬ 
ple  issues  regarding  the  validity  and  generalizability 
of  cybercrime  data.1  In  general,  official  data  on  most 
forms  of  cybercrime  are  non-existent,  inadequate,  or 
inaccessible  to  the  public.2  Though  various  entities  in 
the  private  sector  collect  information  on  certain  cyber¬ 
crimes,  malware  trends,  and  specific  attacks,  they  may 
be  unwilling  to  share  that  information  with  research¬ 
ers  because  of  proprietary  methods  or  information  that 
may  be  lost.3  Therefore,  most  social  science  scholars 
interested  in  the  phenomenon  of  cybercrime  collect 
primary  data,  often  from  college  students,  to  under¬ 
stand  the  scope  and  predictors  of  both  participation  in 
cybercrime  and  experiences  with  victimization.  These 
studies  provide  useful  information  on  various  forms 
of  cybercrime  and  cyber  deviance,  such  as  digital  pira¬ 
cy,4  online  harassment,5  and  minor  forms  of  computer 
hacking.6  These  populations  do  not,  however,  appear 
to  engage  in  the  creation  of  malicious  software  or 
more  serious  forms  of  computer  hacking,  which  limits 
our  understanding  of  these  phenomena.7 

For  those  interested  in  studying  cybercrime  at  the 
macro  level,  data  collection  and  aggregation  challeng¬ 
es  are  even  more  complex.  Cross-national  compari¬ 
sons  of  crime  have  been  problematic  for  the  study  of 
traditional  crimes,  since  official  crime  statistics  are  not 
available  or  reliable  for  many  non-Western  nations.8 
In  addition,  reporting  crime  to  law  enforcement  agen¬ 
cies  is  not  consistent  across  the  world,  creating  pockets 
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of  underreporting.  Finally,  behaviors  are  defined  and 
criminalized  differently  across  countries  and  regions. 
For  example,  N.  L.  Piquero  and  A.  R.  Piquero  explain 
that  the  East  and  West  view  intellectual  property  dif¬ 
ferently.9  Developing  nations  that  have  desires  for 
continued  economic  and  technological  growth  may 
have  no  interest  in  passing  and/ or  enforcing  legisla¬ 
tion  protecting  intellectual  property,  as  this  would 
otherwise  hinder  growth  and  development.  As  a 
consequence,  cross-national  research  often  examines 
more  traditional  and  consistently  operationalized  of¬ 
fenses  such  as  homicide,  using  data  collected  by  inter¬ 
national  nongovernmental  agencies.10 

One  way  that  researchers  may  move  beyond 
the  data  aggregation  issues  affecting  cybercrime  is 
through  the  use  of  data  developed  in  online  environ¬ 
ments  such  as  web  forums,  bulletin  board  systems, 
and  archival  websites.11  The  emergence  of  the  Internet 
enables  significant  social  interactions  between  indi¬ 
viduals  across  the  globe,  whether  through  real-time 
communications  via  email,  or  instant  messaging,  or 
asynchronous  methods  like  blogs  and  texts.12  As  a  con¬ 
sequence,  researchers  can  mine  these  data  sources  for 
information  to  understand  cybercrime  better,  much 
the  same  way  as  traditional  ethnographic  research  on 
criminal  behavior  in  the  real  world. 

In  particular,  there  are  websites  that  act  as  online 
repositories  that  maintain  information  on  the  discov¬ 
ery  and  description  of  malicious  software  and  attacks 
against  various  resources.13  Individuals  in  the  hacker 
community  often  discuss  the  tools  and  resources  they 
find  with  others  in  forums  and  chat  rooms  in  order  to 
gain  social  status  or  respect  from  their  peers.14  Sharing 
resources  may  also  help  elevate  an  individual's  rep¬ 
utation  in  the  digital  underground  by  demonstrating 
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their  skill  and  ability.15  Furthermore,  the  computer  se¬ 
curity  community  maintains  open  source  repositories 
of  vulnerabilities  and  exploits  —  identified  in  various 
outlets  — to  improve  awareness  of  security  trends, 
thereby  increasing  overall  levels  of  security.16 

As  a  consequence,  examining  these  sites  can  pro¬ 
vide  practical  secondary  data  sets  for  social  science 
researchers  to  understand  the  potential  distribution  of 
malware  creators  across  the  globe,  the  complexity  or 
functionality  of  these  tools,  and  the  influence  of  var¬ 
ious  social  factors  on  cybercrime  at  the  macro-level. 
Data  from  these  repositories  can  help  fill  the  void  left 
by  the  lack  of  reliable  and  accessible  data  by  the  gov¬ 
ernment  and  private  sectors.  In  addition,  these  repos¬ 
itories  neither  rely  on  governments  to  report  data  nor 
on  individuals  within  a  country  to  report  the  offensive¬ 
ness  or  victimization  that  has  occurred  in  that  coun¬ 
try.  Instead,  interested  parties  from  other  countries 
who  have  made  discoveries  can  provide  information 
on  that  software,  alleviating  many  of  the  problems  de¬ 
scribed  and  identified  in  Piquero  and  Piquero's  study 
of  software  piracy,  regarding  cultural  definitions  of 
intellectual  property  and  their  willingness  to  protect 
it.17  Given  the  increasing  availability  and  prolifera¬ 
tion  of  open  source  repositories  for  information  about 
cybercrimes  and  attacks  in  online  environments,  this 
study  utilized  a  sample  of  data  developed  from  one 
such  repository  to  examine  the  macro-level  predictors 
of  malicious  software  creation. 
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LITERATURE  REVIEW 


The  Problem  of  Malware. 

Malicious  software  systems,  or  malware,  include 
computer  viruses,  worms,  and  Trojan  horse  programs 
that  can  alter  functions  within  computer  programs  and 
files,  thus  enabling  attacks  against  a  massive  number 
of  targets.  Viruses  can  conceal  their  presence  on  com¬ 
puter  systems  and  networks,  and  can  spread  via  email 
attachments,  downloadable  files,  instant  messaging, 
and  other  methods.18  Trojan  horse  programs  also  of¬ 
ten  arrive  via  email  as  a  downloadable  file  or  attach¬ 
ment  that  people  would  want  to  open,  such  as  photos, 
videos,  or  documents  with  misleading  titles  such  as 
"XXX  Porn"  or  "Receipt  of  Purchase."  When  the  file  is 
opened,  it  executes  some  form  of  malicious  code.19  In 
addition,  some  malware  is  activated  by  visiting  web¬ 
sites,  which  exploit  flaws  in  web  browsers.20  Though 
worms  do  not  involve  as  much  user  interaction  as 
other  malware  because  of  their  ability  to  use  system 
memory  and  to  self-replicate,  humans  can  facilitate 
their  spread  by  simply  opening  emails  that  have  the 
worm  code  embedded  in  the  file.21 

The  losses  associated  with  malicious  software  in¬ 
fections  and  theft  are  massive,  due  in  part  to  the  costs 
to  remove  these  programs  from  a  network,  declines 
in  productivity  among  employees  and  computer 
systems,  and  customer  apprehension  about  compro¬ 
mised  web  pages  or  online  resources.22  For  example, 
U.S.  companies  who  participated  in  a  recent  Comput¬ 
er  Security  Institute  study  reported  losing  an  average 
of  $40,000  per  respondent  due  to  viruses  and  $400,000 
due  to  another  form  of  malware  called  botnet  infec¬ 
tion.23  Furthermore,  the  risk  of  malicious  software  is 
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difficult  to  mitigate,  as  almost  25  percent  of  personal 
computers  around  the  world  use  a  variety  of  secu¬ 
rity  solutions  that  have  malware  loaded  into  their 
memory,  compared  with  33.28  percent  of  unprotected 
systems.24  Thus,  malware  infection  poses  a  significant 
threat  to  Internet  users  around  the  globe. 

Despite  the  significant  role  and  utility  of  mali¬ 
cious  software  in  cybercrime,  there  is  generally  little 
research  examining  the  creators  or  developers  of  mal¬ 
ware.  Individual-level  studies  suggest  that  the  crea¬ 
tors  of  malware  tend  to  be  lone  hackers  or  individuals 
working  in  small  groups  to  produce  the  tools  that  can 
be  used  for  financial  theft,  fraud,  or  as  an  instrument 
to  facilitate  greater  access  to  computer  systems  and 
networks  for  subsequent  attacks.25  Explorations  of  the 
hacker  community  indicate  that  hackers  exist  within 
a  subculture  that  values  profound  and  deep  connec¬ 
tions  to  technology.26  This  subculture  is  also  a  meritoc¬ 
racy  where  others  are  judged  based  on  their  capacity 
to  utilize  computers  in  unique  and  innovative  ways.27 
Access  to  computer  hardware,  software,  and  Internet 
connectivity  varies  by  place,  though  there  is  evidence 
to  suggest  hacker  communities  are  present  in  areas 
across  the  emerging  world,  including  North  Korea, 
Central  America,  and  Northern  Africa.28  Thus,  one 
need  simply  obtain  access  to  computer  technology  in 
order  to  participate  within  this  community. 

Hackers  are  also  driven  by  a  variety  of  motives, 
particularly  status,  ego,  cause,  entry  into  social  groups, 
and,  most  notably,  economic  gain.29  Hackers  also  have 
shifting  ethical  beliefs  about  hacking,  which  concern 
the  consequences  of  their  actions,  as  demonstrated  by 
their  willingness  to  share  hacking,  tools  and  sensitive 
or  fraudulently  obtained  information  in  public  out¬ 
lets  online.30  Thus,  developing  and  releasing  a  highly 
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functional  program  like  a  virus,  worm,  or  Trojan  horse 
is  a  sensible  act  for  a  hacker,  because  he  or  she  may 
gain  respect  and  status  among  others,  and  capitalize 
on  these  programs  to  generate  a  profit. 

Despite  the  significant  risks  of  hackers  and  mal¬ 
ware  to  all  individuals  connected  to  the  Internet,  no 
agreement  has  been  reached  worldwide  on  the  best 
strategies  to  curtail  these  problems.  For  example,  the 
U.S.  Computer  Fraud  and  Abuse  Act  can  be  used 
to  prosecute  the  distribution  of  malicious  software 
through  "any  computer  connected  to  the  Internet,  re¬ 
gardless  of  whether  the  computers  involved  are  locat¬ 
ed  in  the  same  state."31  Similar  statutes,  or  models  for 
statutes,  such  as  the  United  Kingdom  (UK)  Computer 
Misuse  Act  and  the  Council  of  Europe  Convention  on 
Cybercrime,  are  in  place  in  industrialized  nations  to 
prosecute  malware  writers  and  distributors.32  Emerg¬ 
ing  industrial  nations,  however,  are  less  likely  to  have 
developed  legal  guidelines  related  to  malware  and 
other  forms  of  cybercrime.33  As  a  result,  there  are  now 
legal  safe  havens  where  malware  writers  and  hack¬ 
ers  can  operate  with  minimal  risk  of  extradition  and 
prosecution.34  For  instance,  individuals  sell  services  to 
host  malicious  software  and  pornographic  materials 
in  Malaysia  and  other  parts  of  Southeast  Asia,  where 
there  are  fewer  legal  risks  for  the  buyers,  sellers,  and 
operators.35 

THEORIZING  THE  STRUCTURAL 
CORRELATES  OF  MALWARE  CREATION 

Though  scholars  are  starting  to  learn  more  about 
hackers  and  their  subculture,  little  research  exists  on 
the  macro-level  factors  that  provide  a  supportive  mi¬ 
lieu  for  individuals  to  develop  malicious  software.  This 
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is  problematic,  considering  that  evidence  suggests  a 
great  deal  of  modern  malware  is  created  and  used  by 
computer  hackers  in  foreign  countries,  particularly 
China,  Russia,  Brazil,  and  Eastern  Europe.36  Few  have 
considered  what  technological,  economic,  or  social 
conditions  engender  the  development  of  malware  in 
these  nations,  and  little  to  no  research  considers  what 
forces  constrain  malware  creation.  This  is  a  particular¬ 
ly  significant  issue,  given  the  changing  landscape  of 
technology  and  the  economic  and  social  conditions  re¬ 
lated  to  access  to  the  Internet  and  computer  resources. 
As  a  consequence,  it  is  unclear  what  factors  encourage 
or  hinder  malicious  software  production. 

For  example,  the  gross  domestic  product  (GDP)  of 
a  nation  may  have  a  significant  influence  on  the  level 
of  malware  produced  by  a  given  nation.  Specifically, 
as  the  economy  of  a  nation  improves,  this  will  increase 
the  proliferation  of  technological  infrastructure  and 
resources,  which  may  increase  the  capacity  for  actors 
to  become  part  of  the  larger  international  hacker  com¬ 
munity.  Countries  with  poor  economic  conditions  in 
comparison  to  other  countries  may  have  less  access  to 
high-speed  Internet  connectivity  and  powerful  com¬ 
puter  technology,  diminishing  the  resources  available 
to  hackers.37  A  strong  economy  may  also  foster  a  com¬ 
petitive  and  stable  educational  system  in  which  com¬ 
puter  skills  are  taught,  thus  providing  a  larger  labor 
force  with  more  advanced  skills.  As  long  as  there  is 
economic  growth  and  stability,  individuals  with  com¬ 
puter  skills  and  training  should  have  access  to  legiti¬ 
mate  jobs  within  the  information  technology  service 
sector  where  many  hackers  find  legitimate  employ¬ 
ment.  Developing  nations  appear  to  have  an  interest 
in  creating  and  using  malicious  software  that  can  be 
applied  in  information-warfare  campaigns  against 
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rival  nations.38  Such  attacks  can  be  performed  with 
minimal  economic  investment  and  low  risk  of  attri¬ 
bution  to  the  originating  nation,  thereby  increasing 
their  overall  efficiency.  Thus,  it  is  hypothesized  that, 
as  GDPs  increase,  countries  become  more  suitable  en¬ 
vironments  for  hackers  and  the  creation  of  malicious 
software. 

In  addition,  the  number  of  Internet  hosts  available 
in  a  nation  may  play  a  critical  role  in  enabling  hackers 
to  create  and  distribute  malware.  The  global  connec¬ 
tivity  afforded  by  the  Internet  engenders  hackers  to 
identify  and  use  resources  created  by  different  entities 
around  the  world.39  At  the  same  time,  research  has 
noted  that  substantial  hacker  communities  in  Russia, 
China,  and  Turkey  often  utilize  web  resources  created 
and  hosted  within  their  nations  as  a  means  of  limit¬ 
ing  access  to  outsiders.40  Thus,  if  a  nation  has  a  larger 
number  of  web-hosting  resources  available,  there  may 
be  greater  opportunities  to  develop,  promote,  and 
share  malware  and  hacking  information  to  their  fel¬ 
low  countrymen.  This  suggests  Internet  hosting  may 
have  a  positive  impact  on  the  creation  of  malware. 

A  country's  political  system  may  also  influence  the 
production  of  malware.  In  theory,  one  would  speculate 
that  democratic  or  representative  government  struc¬ 
tures,  which  provide  fewer  restrictions  on  individual 
behavior,  would  be  more  likely  to  encourage  innova¬ 
tion  and  creative  efforts.  As  a  consequence,  hackers 
could  work  covertly  to  develop  resources  with  less 
fear  of  brutal  reprisals  from  the  government.41  How¬ 
ever,  democratic  countries  are  generally  where  intel¬ 
lectual  property  originates,  and  thus  has  some  of  the 
most  stringently  enforced  intellectual  property  laws.42 
In  addition,  totalitarian  regimes  have  historically  al¬ 
lowed  hackers  to  attack  victims  in  other  nations  and 
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have  employed  or  exploited  hackers  as  a  means  to  at¬ 
tack  competing  democracies.43  For  example,  there  are 
a  number  of  reports  indicating  that  hackers  with  ties 
to  the  Chinese  military  or  government  have  engaged 
in  attacks  against  the  United  States  and  other  nations 
in  order  to  steal  sensitive  information.44  Since  the  iden¬ 
tification  of  individual  hackers  is  difficult,  countries 
can  target  their  enemies  through  individual  hackers 
without  fear  of  political  reprisal.  Thus,  it  is  hypoth¬ 
esized  that  malware  will  be  more  often  created  and 
utilized  in  countries  with  totalitarian  regimes  than  in 
democratic  nations  with  more  political  rights. 

The  ethnic  and  religious  composition  of  a  nation 
may  also  affect  what  countries  are  more  likely  to  host 
the  creation  of  malware,  but  it  might  affect  it  on  a  case- 
by-case  basis.  Specifically,  a  substantial  mix  of  ethnic 
groups  or  religions  within  a  nation  may  cause  civil 
unrest  and  lead  to  attacks  against  different  groups 
within  that  nation.  A  predominant  ethnic  identity 
within  a  nation  may  lead  a  minority  group  to  utilize 
hacks  and  malware  as  a  force  multiplier  against  the 
government.45  This  is  evident  in  Sri  Lanka,  where  an 
offshoot  of  the  group  the  Tamil  Tigers  uses  hacking 
techniques  as  a  means  of  disrupting  government  oper¬ 
ations.46  However,  a  homogeneous  population  might 
simply  aim  its  attacks  outwardly  rather  than  inward¬ 
ly.  For  example,  Turkish  hackers  frequently  attack 
targets  outside  of  the  borders  of  their  Muslim-major- 
ity  nation.47  Thus,  it  is  unclear  what  effect  ethnic  and 
religious  compositions  may  have,  if  any,  on  malware 
production. 
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THE  PRESENT  STUDY 


Despite  the  significant  problems  posed  by  malware, 
there  is  little  research  examining  the  economic,  techno¬ 
logical,  and  social  factors  that  may  affect  its  creation. 
In  this  chapter,  we  propose  that  online  repositories 
containing  data  on  malicious  software  can  be  valuable 
to  study  the  macro-level  correlates  of  malware  crea¬ 
tion.  If  fruitful,  this  would  provide  researchers  with 
an  additional  avenue  to  study  malware  specifically 
and  cybercrime  generally.  Some  prospective  hypoth¬ 
eses  can  derive  by  considering  the  extant  literature  on 
computer  hackers  and  technology  adoption.  Specifi¬ 
cally,  environments  will  be  more  suitable  for  the  crea¬ 
tion  of  malicious  software  as  GDP  and  Internet  hosts 
increase  in  countries  governed  by  regimes  that  limit 
political  rights.  It  is  unclear  how  ethnic  and  religious 
composition  will  relate  to  malware  creation.  Adopt¬ 
ing  a  similar  strategy  used  by  K.  Drakos  and  A.  Gafos 
in  their  study  of  transnational  terrorists  attacks,48  this 
study  explored  the  global  variation  in  the  production 
of  malicious  software  through  a  zero-inflated  negative 
binomial  regression  (ZINB).  In  this  way,  this  chapter 
contributes  to  the  literature  by  developing  an  empir¬ 
ical  profile  of  country-level  variables  that  can  predict 
malicious  software  production  while  illustrating  the 
usefulness  of  open  source  repositories. 

DEPENDENT  VARIABLE 

The  data  for  the  dependent  variable  used  for  this 
study  (MALWARE)  came  from  an  open  source  mal¬ 
ware  repository  where  individuals  could  post  infor¬ 
mation  obtained  on  malicious  software,  either  because 
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the  individual  created  a  program  or  identified  it  in  the 
wild.49  This  open  source  repository  provided  self-re- 
ported  information  on  malware  around  the  globe. 
In  order  to  report  information  to  the  website,  an  in¬ 
dividual  would  send  an  email  detailing  the  tool  with 
as  much  information  as  possible  to  the  site's  director. 
This  repository  has  been  in  existence  for  some  time,  as 
it  maintains  records  on  malware  going  back  to  2001. 
Such  information  would  suggest  the  repository  had 
some  recognition  in  the  computer  underground  and 
was  reputable.  It  is,  however,  apparent  that  self-re- 
porting  may  undercount  the  actual  number  of  mali¬ 
cious  software  produced  and  released  by  the  hacker 
community. 

Given  the  range  of  years  available,  the  dependent 
variable  for  this  analysis  was  the  number  of  reported 
malicious  software  programs  reported  in  a  country  in 
the  years  2006,  2007,  and  2008  (see  Table  7-1  for  de¬ 
scriptive  statistics).  It  was  necessary  to  combine  mul¬ 
tiple  years  as  the  number  of  countries  reporting  a  pos¬ 
itive  count  was  extremely  low  each  year:  18,  24,  and 
18,  respectively.  Combining  these  years,  however,  in¬ 
creased  the  number  of  countries  with  a  positive  count 
to  30.  This  ensured  sufficient  power  for  both  processes 
in  the  ZINB  model.  Limiting  the  years  included  min¬ 
imized  errors  due  to  lagged  effects  or  changes  in  the 
predictor  variables  for  these  independent  variables 
from  2008. 

Many  of  the  malware  reports  did  not  identi¬ 
fy  a  country  of  origin  for  these  tools  (50  percent  of 
all).  As  a  result,  a  number  of  cases  were  excluded 
from  the  analysis,  which  may  affect  the  undercount¬ 
ing  of  countries  in  this  chapter.  There  is,  howev¬ 
er,  significant  difficulty  in  properly  identifying  the 
point  of  origin  for  a  piece  of  malicious  software. 
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Number  of  reported 
programs 

Countries 

0 

Afghanistan,  Albania,  Algeria,  Andorra,  Angola,  Antigua 
and  Barbuda,  Armenia,  Australia,  Austria,  Azerbaijan, 
Bahamas,  Bahrain,  Bangladesh,  Barbados,  Belarus,  Belize, 
Bhutan,  Bolivia,  Botswana,  Brunei,  Burkina  Faso,  Burma, 
Burundi,  Cambodia,  Cameroon,  Canada,  Chad,  Costa  Rica, 
Cote  d'Ivoire,  Croatia,  Cyprus,  Czech  Republic,  Djibouti, 
Dominica,  Dominican  Republic,  Ecuador,  El  Salvador, 
Estonia,  Ethiopia,  Fiji,  Finland,  Gambia,  Ghana,  Greece, 
Grenada,  Guinea,  Guinea-Bissau,  Guyana,  Haiti, ,  Hungary, 
Iceland,  Indonesia,  Ireland,  Israel,  Japan,  Jordan,  Ka¬ 
zakhstan,  Kenya,  Kiribati,  South  Korea,  Kyrgyzstan,  Laos, 
Latvia,  Lesotho,  Liberia,  Libya,  Liechtenstein,  Lithuania, 
Luxembourg,  Macedonia,  Malaysia,  Mali,  Marshall  Islands, 
Mauritania,  Mauritius,  Micronesia,  Moldova,  Mongolia, 
Mozambique,  Namibia,  Nauru,  Nepal,  New  Zealand, 
Nicaragua,  Niger,  Norway,  Pakistan,  Panama,  Paraguay, 
Philippines,  Samoa,  Senegal,  Sierra  Leone,  Singapore, 
Slovakia,  Slovenia,  Solomon  Islands,  Somalia,  South 

Africa,  Sri  Lanka,  Sudan,  Swaziland,  Switzerland,  Taiwan, 
Tajikistan,  Thailand,  Togo,  Trinidad  and  Tobago, 
Turkmenistan,  Tuvalu,  Uganda,  United  Arab  Emirates, 

United  States,  Uruguay,  Uzbekistan,  Vanuatu,  Vietnam, 
Zimbabwe 

1-10 

Bosnia  Herzegovina,  India,  Ukraine,  United  Kingdom, 
Venezuela,  Saudi  Arabia,  Italy,  Peru,  Syria,  Bulgaria,  Chile, 
Mexico,  Argentina,  Colombia,  Morocco,  Spain,  Egypt, 
Tunisia 

11-20 

Netherlands,  Romania 

21-50 

Belgium,  France,  Georgia 

51-115 

Germany,  Brazil,  Russia,  Turkey,  Iran,  Poland 

116-360 

China 

Table  7-1.  Counts  of  Malicious  Software  Programs 
Across  Countries. 

Specifically,  a  malware  writer  may  state  where  he  or 
she  created  their  tool  in  the  program  notes,  or  post 
their  tool  directly  into  this  repository  providing  the 
necessary  information.  Some  programs  may  not  con- 
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tain  such  information,  however,  and  an  individual 
may  ascribe  an  origin  point  based  on  the  language 
character  set,  such  as  Cyrillic,  Chinese,  or  Western, 
used  in  the  user  interface  of  the  tool  kit.  While  these 
conditions  may  affect  the  validity  of  the  dependent 
variable,  it  is  still  likely  that  the  attributions  are  ac¬ 
curate  and  provide  some  insights  into  the  location  of 
malware  creation. 

INDEPENDENT  VARIABLES 

The  data  for  the  independent  variables  derived 
from  the  CIA  World  FactBook  and  from  Freedom  House, 
a  nongovernmental  agency  that  collects  annual  data 
on  political  freedom  around  the  globe.50  In  order  to 
model  the  number  of  reported  malicious  software 
programs,  we  included  several  co-variates  in  both  the 
binary  and  count  models.  We  examined  measures  on 
GDP  and  technological  structure,  political  rights,  and 
population  diversity. 

In  the  count  model,  the  first  group  included  meas¬ 
ures  of  GDP  and  the  number  of  Internet  hosts  within 
the  country.  We  used  the  log  of  the  GDP  per  capita 
(Log  GDP)  and  the  log  of  Internet  hosts  ( Log  Hosts), 
both  from  the  CIA  World  Factbook.51  We  logged  the 
values  for  these  two  variables  because  both  distribu¬ 
tions  were  skewed.  We  also  included  other  measures 
of  technology  infrastructure,  including  the  number  of 
cell  phones,  radio  and  television  stations.  However, 
because  these  variables  all  highly  correlated  with  both 
Log  GDP  and  Log  Hosts,  we  could  not  include  them 
in  the  same  model.52  Furthermore,  we  attempted  to 
include  country  population  as  a  control  variable,  but 
not  surprisingly,  it  was  highly  correlated  with  all  the 
predictor  variables  and  also  could  not  be  included  in 
the  regression  model. 
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The  second  variable  included  in  the  models  was 
the  degree  of  political  rights  ( political  rights )  as  meas¬ 
ured  by  Freedom  House.53  The  variable  ranged  from  1 
(the  most  free)  to  7  (the  least  free).  Freedom  House's 
measure  of  political  rights  is  based  on  a  checklist  of 
10  political  rights  questions  that  fall  into  four  subcat¬ 
egories:  electoral  process,  political  pluralism,  partici¬ 
pation,  and  functioning  government.  These  scores  are 
then  used  to  create  the  political  right  subscale. 

For  measures  of  diversity,  we  included  two  var¬ 
iables:  ethnic  heterogeneity  ( ethnicity )  and  religious 
heterogeneity  (religion).  Both  measures  derived  from 
the  CIA  World  Factbook  data,  using  P.  M.  Blau's  het¬ 
erogeneity  index,  calculated  as  1  -  Pi2,  where  Pi  is  the 
proportion  of  each  religious  or  ethnic  group.54  The 
squared  proportions  are  summed  and  subtracted  from 
1,  which  gives  an  index  from  0  (total  homogeneity)  to 
1  (total  heterogeneity).  A  higher  Blau's  index  indicat¬ 
ed  more  heterogeneity  in  the  two  measures. 

Finally,  we  included  a  dummy  variable  for  coun¬ 
tries  on  the  Asian  continent,  such  as  China  and  North 
Korea,  as  a  control  variable.  This  variable  included 
Middle  Eastern  countries  such  as  Iran  and  Afghani¬ 
stan  as  well.  Research  indicates  that  Asian  countries 
appear  to  be  a  prominent  source  of  malware  and 
hacker  activity.55  In  addition,  countries  with  non-Latin 
alphabets,  like  China  or  Iran,  might  have  been  more 
easily  detected  and  have  a  higher  likelihood  of  being 
reported  in  the  malware  dataset. 

COUNT  DATA  ISSUES:  THE  ZERO-INFLATED 
NEGATIVE  BINOMIAL  MODEL 

Our  dependent  variable  ( MALWARE )  reported 
the  count  of  malicious  software  detected  within  each 
country.  Using  an  ordinary  least  squares  regression 
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(OLS)  was  problematic  because  MALWARE  was  not 
normally  distributed.  It  was  right- tail  skewed,  as  only 
a  few  countries  reported  hundreds  of  malicious  soft¬ 
ware  programs.  The  remaining  countries  reported 
far  less  than  100,  most  reporting  0.  Thus,  the  modal 
count  was  0,  which  resulted  in  an  abundance  of  Os  in 
the  variable's  distribution.  In  fact,  80  percent  of  coun¬ 
tries  reported  no  malicious  software  during  the  study 
period.  Furthermore,  the  data  were  reported  counts, 
omitting  some  countries  that  undoubtedly  produced 
malicious  software,  but  were  not  detected  by  the  re¬ 
porting  program.  Because  of  these  issues,  using  OLS 
regression  was  likely  to  result  in  biased  standard  errors 
and  coefficients. 

To  remedy  these  problems,  several  limited  de¬ 
pendent  variable  regression  models  for  count  data 
may  be  employed,  including  Poisson,  zero-inflated 
Poisson,  negative  binomial,  and  zero-inflated  nega¬ 
tive  binomial.  A  discourse  on  the  differences  among 
these  models  is  beyond  the  scope  of  this  chapter.56  Us¬ 
ing  STATA  8.0,  the  calculations  employed  a  zero-in¬ 
flated  negative  binomial  model  for  two  reasons.  First, 
the  variance  was  greater  than  the  mean,  resulting  in 
over-dispersion;  thus,  a  Poisson  model  that  assumes 
equal  dispersion  was  eliminated.  Second,  the  abun¬ 
dant  zeros  in  the  frequency  distribution  likely  came 
from  two  different  groups:  the  Always-Zero  group  (a 
country  that  never  produced  malicious  software)  and 
the  Not-Always-Zero  group  (a  country  that  likely  pro¬ 
duced  malicious  software). 

For  example,  consider  a  country  from  the  dataset 
likely  in  the  Not-Always-Zero  group.  The  United  States, 
a  technologically  advanced  country  known  to  have  a 
historically  active  hacker  population,57  reported  zero 
malicious  programs  during  the  study  period.  The  as- 
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sumption  was  that  this  zero  count  resulted  from  the 
reporting  process  failing  to  detect  malware  from  the 
United  States.  The  United  States  would  therefore  like¬ 
ly  be  in  the  Not-Always-Zero  group.  Since  our  data  did 
not  indicate  which  group  a  country  belonged  to,  other 
than  subjective  estimation,  membership  in  either  of  the 
two  zero  groups  was  therefore  latent  or  unobserved. 
This  last  point  was  an  important  element  in  favor  of 
a  ZINB  model,  because  Poisson  or  negative  binomi¬ 
al  models  could  inflate  the  probability  of  a  country 
producing  zero  programs.  The  ZINB  model  predicted 
membership  in  either  of  the  two  latent  groups. 

To  do  this,  the  ZINB  model  included  two  processes 
in  the  estimation  of  the  outcome  count  variable:  a  bi¬ 
nary  model  and  a  count  model.  The  binary  (or  inflat¬ 
ed)  model,  typically  logit,  predicted  the  membership 
of  a  case  in  the  Always-Zero  group  versus  the  Not-Al¬ 
ways-Zero  group.  The  first  process  accounted  for  mem¬ 
bership  in  the  two  groups,  while  the  second  count 
model  then  predicted  the  number  of  counts  among 
countries  in  the  Not-Always-Zero  group.  Both  models 
are  reported  in  the  results  of  a  ZINB  regression. 

The  decision  to  employ  a  ZINB  should  be  based 
on  the  researchers'  substantive  understanding  of  how 
the  data  were  generated,  especially  when  the  counts 
are  subject  to  reporting  bias.58  However,  a  researcher 
should  also  consider  the  Vuong  test.59  The  Vuong  sta¬ 
tistic  can  be  used  to  test  whether  the  ZINB  model  fits 
the  data  better  than  a  negative  binomial  regression. 
If  the  Vuong  statistic  is  significant  (V  >  1.96),  a  ZINB 
should  be  employed  instead  of  a  negative  binomial 
regression.60 

The  ZINB  model  then  predicted  the  count  of  re¬ 
ported  malware  programs  by  country  based  on  GDP, 
Internet  hosts,  political  rights,  ethnic  heterogeneity, 
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and  religious  heterogeneity.  For  the  Always-Zero  in¬ 
flation  model,  the  study  included  two  predictors:  In¬ 
ternet  hosts  and  political  rights.  Only  30  countries  re¬ 
ported  malware.  Thus,  the  study  minimized  inflation 
in  the  model  to  keep  it  as  parsimonious  as  possible. 
Given  that  authoritarian  regimes  and  countries  with 
more  Internet  hosts  are  likely  producers  of  malware, 
these  two  predictors  should  confirm  or  refute  current 
thinking  on  cross-national  production  of  malware. 

FINDINGS 

The  available  data  resulted  in  147  countries  in  the 
sample,  which  are  reported  in  Table  7-1.  The  modal 
count  of  reported  software  was  zero.  Thirty  countries 
reported  producing  one  or  more  malicious  software 
programs  in  the  sample  years.  China  reported  the 
highest  number  of  software,  353  counts  — which  is  in 
keeping  with  emergent  research  on  Chinese  hacker 
activity.61  It  is  important  to  remember  that  many  of  the 
countries  in  the  zero  category  were  actually  producers 
of  malware.  Such  countries  likely  produced  malware 
in  the  sample,  but  they  were  not  detected  and  report¬ 
ed  to  the  website.  Also,  it  is  likely  that  these  countries 
may  have  been  reported  to  the  website,  but  the  coun¬ 
try  of  origin  was  not  discernible.  The  ZINB  model 
attempts  to  replicate  the  differences  in  zero  counts 
(i.e.  true  zeros  [no  malware]  and  non-zeros  [failure 
to  detect]). 

The  descriptive  statistics  for  reports  of  malicious 
software  and  the  predictor  variables  appear  in  Ta¬ 
ble  7-2.  As  mentioned  previously,  the  variance  of 
the  dependent  variable  was  greater  than  the  mean 
(s2=1108.291;  m=6.966),  indicating  over-dispersion 
and  ruling  out  a  Poisson  model.  Because  GDP  and 
Hosts  were  logged,  their  mean  levels  are  difficult  to 
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interpret  and  not  as  useful,  but  the  values  are  reported 
in  Table  7-2.  The  average  level  of  political  rights  was 
3.262,  about  the  middle  of  the  Freedom  House  scale. 
The  mean  levels  of  religion  and  ethnic  heterogeneity 
were  0.398  and  0.363,  respectively. 


Variable 

Mean 

s.d. 

Min 

Max 

Malware 

6.966 

33.291 

0.000 

353 

Log  GDP 

8.796 

1.300 

5.298 

11.282 

Log  Hosts 

10.095 

4.261 

0.000 

19.571 

Rights  3.262 

2.185 

1.000 

7.000 

Religion 

0.398 

0.245 

0.000 

0.868 

Ethnicity 

0.363 

0.254 

0.000 

0.950 

Table  7-2.  Descriptive  Statistics  (n=147). 

Table  7-3  reports  the  results  for  the  ZINB  model. 
First,  the  zero-always  inflation  model  reports  the  like¬ 
lihood  of  a  country  never  having  reports  of  malicious 
software.  The  results  of  the  Vuong  test  indicated  that 
the  ZINB  model  was  an  improvement  over  a  nega¬ 
tive  binomial  model  (V=2.32;  p<  0.01).  More  Internet 
hosts  reduced  the  likelihood  of  being  in  the  Always- 
Zero  group  (b=-1.507).  Thus,  more  hosts  increased  the 
likelihood  of  being  malware  producers.  Fewer  politi¬ 
cal  rights  also  reduced  the  likelihood  of  being  in  the 
Always-Zero  group  (b— 2.135),  meaning  that  countries 
with  fewer  political  rights  were  more  likely  to  have 
been  creators  of  malware. 
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Covariate 

b 

s.e. 

Zero-always  Inflation  Model  (Logit) 

Log  Hosts 

-1.507* 

0.720 

Political  Rights 

-2.135* 

1.088 

Constant 

23.443* 

10.943 

Zero-inflated  Negative  Binomial  Model 

Log  GDP 

0.054 

0.255 

Log  Hosts 

0.504*** 

0.500 

Political  Rights 

0.297 

0.134 

Religion 

-5.798** 

1.786 

Ethnicity 

-0.658 

1.559 

Constant 

-4.492 

5.460 

Log  Likelihood 

-169.844*** 

Vuong  test 

.32* 

Maximum  Likelihood  R2 

0.314 

Notes:  *  p<0.5 

**  p<.01 
***p<.001 

Table  7-3.  Zero-inflated  Negative  Binomial 
Regression  for  Count  of  Malicious  Software(n=147). 

Separating  the  two  kinds  of  zero  counts  into  the 
Always-Zero  and  Not-Always-Zero  groups  allowed  us  to 
consider  the  zero-inflated  negative  binomial  results  as 
presented  in  Table  7-3.  More  Internet  hosts  (logged) 
increased  the  number  of  reported  malware  programs 
(b=0.504).  Religious  heterogeneity  was  negative,  indi¬ 
cating  that  a  more  heterogeneous  religious  milieu  re- 
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duced  the  number  of  reported  malware  programs  (b= 
-5.798).  Log  GDP,  political  rights,  and  ethnicity  were 
not  significant.62 

A  dummy  variable  was  added  to  control  for  Asian 
countries  to  partially  rule  out  the  possibility  that 
countries  with  a  non-Latin  alphabet  would  be  more 
likely  to  be  recognized  and  reported.  Thus,  higher 
counts  for  Asian  countries  might  have  resulted  from 
ease  of  detection  rather  than  an  increased  propensi¬ 
ty  for  malware  creation.  In  addition,  it  was  possible 
that  the  associations  between  Internet  hosts,  political 
rights,  religious  heterogeneity,  and  malware  creation 
were  simply  due  to  several  Asian  countries  being  high 
producers  of  malware.  It  was  therefore  important  to 
examine  whether  these  concepts  relate  to  malware 
generally  or  whether  they  were  simply  descriptive  of 
many  Asian  countries  that  happened  to  be  high  pro¬ 
ducers  of  malware. 

The  results  of  this  model  are  reported  in  Table  7-4. 
In  the  Always-Zero  inflation  model,  more  Internet  hosts 
and  less  political  rights  remained  significant,  both 
predicting  less  likelihood  of  being  in  the  Always-Zero 
model  as  in  the  previous  model.  The  dummy  variable 
for  Asia  was  also  significant  and  positive  (b=  2.484), 
indicating  that  Asian  countries  were  more  likely  to  be 
in  the  Always-Zero  category  than  non- Asian  countries, 
meaning  that  they  were  more  likely  to  not  produce 
it.  The  dummy  Asian  measure  did  not  solely  account 
for  the  relationship  between  Internet  hosts,  political 
rights,  and  malware,  considering  that  these  two  mea¬ 
sures  remained  significant  in  the  model.  However,  it 
should  also  be  noted  that  the  coefficients  decreased 
substantively  between  Tables  7-3  and  7-4.  This  illus¬ 
trates  that  the  Asian  measure  did  partially  mediate  the 
effect  of  those  two  measures  on  malware  creation. 
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Covariate 

b 

s.e. 

Zero-always  Inflation  Model  (Logit) 

Log  Hosts 

-0.634** 

0.213 

Political  Rights 

-0.861* 

0.363 

Asia 

2.483* 

1.001 

Constant 

10.067** 

3.392 

Zero-inflated  Negative  Binomial  Model 

Log  GDP 

0.512 

0.483 

Log  Hosts 

0.302* 

0.500 

Political  Rights 

0.063 

0.271 

Religion 

-3.818* 

1.786 

Ethnicity 

-0.484 

1.244 

Asia 

1.540 

0.862 

Constant 

-5.591 

5.719 

Log  Likelihood 

-168.0059** 

Vuong  test 

1.93* 

Maximum  Likelihood  R2 

Notes:  *  p< 0.5 
**  (X. 01 
***p<.001 

Table  7-4.  Zero-inflated  Negative  Binomial 
Regression  for  Count  of  Malicious  Software 
Controlling  for  Asian  Countries  (n=147). 

In  the  zero-inflated  negative  binomial  component 
of  the  model,  the  results  were  similar  to  the  results 
shown  in  Table  7-3.  Again,  only  Internet  hosts  and 
religious  heterogeneity  were  significant  predictors. 
Thus,  the  Asia  measure  did  not  account  for  the  predic¬ 
tion  in  reported  malware  in  the  count  model,  either. 


204 


In  order  to  make  the  results  more  intuitive,  pre¬ 
dicted  counts  were  calculated  for  malicious  software 
and  the  probabilities  for  being  in  the  Always-Zero 
group  from  the  first  regression  model  (reported  in 
Table  7-3).  The  results  for  six  countries  are  reported 
in  Table  7-5.  Afghanistan,  the  first  country,  had  zero 
reported  malware  programs  during  the  study  period 
and  zero  predicted  malware  programs.  The  prob¬ 
ability  for  being  in  the  Always-Zero  group  was  0.999. 
Thus,  Afghanistan  was  correctly  classified  based  on 
the  available  data.  Next,  the  United  States  and  Jordan 
both  had  zero  reported  malware  programs.  The  Unit¬ 
ed  States  was  predicted  to  have  15  reports  of  malware, 
while  Jordan  had  only  seven.  Both  countries  had  very 
low  probabilities  of  being  in  the  Always-Zero  group, 
0.000  and  0.096  respectively.  Finally,  three  countries 
had  positive  observed  reports  of  malware  — Turkey 
(90),  Egypt  (10),  and  China  (353).  Two  of  the  coun¬ 
tries,  Turkey  and  Egypt,  had  about  the  same  number 
of  reported  as  predicted  counts  of  malware,  96  and 
14,  respectively.  China,  however,  had  far  fewer  pre¬ 
dicted  than  expected  counts  (77  versus  353).  All  three 
of  these  countries  had  zero  probability  of  being  in  the 
Always-Zero  group,  and  because  they  were  observed 
to  have  counts  of  malware,  they  were  in  the  nega¬ 
tive  binomial  part  of  the  distribution.  These  results 
show  how  the  ZINB  regression  attempts  to  model 
cases  where  the  reported  nature  of  the  data  produces 
inaccurate  counts. 

The  probability  of  having  a  zero  count  is  also 
shown  in  Figure  7-1.  The  figure  shows  the  change 
in  probabilities  of  a  country  having  a  zero  count  for 
each  level  of  political  freedom  from  the  most  free  (1) 
to  the  least  free  (7).  All  of  the  other  predictor  variables 
are  set  to  their  mean  values.  When  zeros  from  both 
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Y  Y  p 

Country 

Count 

Count 

zero 

Distribution 

Afghanistan 

0 

0 

.999 

Always  zero 

United  States 

0 

15 

.000 

Negative  binomial 

Jordan 

0 

7 

.096 

Negative  binomial 

Turkey 

90 

96 

.000 

Negative  binomial 

Egypt 

10 

14 

.000 

Negative  binomial 

China 

353 

77 

.000 

Negative  binomial 

Notes:  Y  is  the  predicted  count  based  on  the  negative  binomial 
model.  The  column  for  'p  zero'  is  predicted  probability  that  the 
country  is  in  the  Always-Zero  distribution. 


Table  7-5.  Observed  and  Predicted  Values 
for  Counts  and  Probability  of  Always-Zero  Group 
From  Regression  Model. 

equations  are  1.00,  the  probability  of  a  zero  count  is 
1.00.  As  countries  become  less  free,  the  probability 
of  a  zero  count  drops  to  0.600.  Also,  note  that  in  the 
binary  equation  that  as  the  level  of  political  freedom 
approaches  its  highest  value,  the  probability  of  a  zero 
in  the  model  drops  to  zero. 

DISCUSSION  AND  CONCLUSIONS 

The  diverse  and  sophisticated  threats  posed  by 
hackers  and  malicious  software  writers  require  sig¬ 
nificant  investigation  by  both  the  technical  and  social 
sciences  to  understand  the  various  forces  that  affect 
participation  in  these  activities.  It  is,  however,  chal¬ 
lenging  to  identify  reliable  data  sources  to  examine 
trends  and  correlates  of  malware  and  hacking  events 
from  governmental  sources.  As  a  consequence,  social 
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-* -  Os  from  Binary  Equation  - ■ -  Os  from  both  equations 

-  Os  from  Count  Equation 


Figure  7-1.  Probability  of  Country  Having  0  Reports 
of  Malicious  Software  by  Political  Rights. 

science  research  may  benefit  from  data  mining  online 
forums  and  websites  to  develop  data  sets.63  Such  ef¬ 
forts  may  prove  beneficial,  as  online  data  enable  indi¬ 
viduals  to  provide  direct  information  on  various  forms 
of  cybercrime  without  stigma  or  fear  that  may  other¬ 
wise  result  from  contacting  law  enforcement  agencies. 
This  study  attempted  to  demonstrate  the  value  of  such 
data  through  a  country-level  analysis  of  the  econom¬ 
ic,  technological,  and  social  forces  that  affect  malware 
production  based  on  reports  to  an  international  online 
malware  repository. 

The  findings  suggest  malware  production  does  not 
depend  on  a  nation's  economic  conditions  unless  it  af¬ 
fects  the  development  of  its  technological  infrastruc¬ 
ture.  Those  nations  with  a  larger  number  of  Internet 
hosts  were  more  likely  to  develop  malware  resourc¬ 
es,  because  these  nations  have  more  opportunities 
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for  their  citizens  to  offend.  Thus,  greater  information 
technology  infrastructure  may  increase  the  number  of 
people  who  can  go  online  and  increase  the  develop¬ 
ment  of  hacker  communities  and  malware  creation. 

Considering  that  GDP  did  not  relate  to  malware 
production  when  controlling  for  Internet  connectivity, 
this  implies  that  hackers  can  produce  malware  with 
efficiency  and  can  perform  this  task  regardless  of  le¬ 
gitimate  employment  opportunities  provided  by  the 
markets.64  Additionally,  this  finding  gives  some  sup¬ 
port  to  the  value  of  malware  as  a  force  multiplier  in 
attacks  against  various  targets,  as  they  do  not  require 
significant  economic  investment  to  be  completed.  As  a 
result,  there  may  be  little  policy  value  to  consider  how 
G20  nations  are  involved  in  cyber  attacks,  but  rath¬ 
er,  to  explore  the  diverse  nature  of  the  hacker  threat 
in  a  global  context.65  For  example,  understanding  the 
relationships  and  intersections  of  hacker  communities 
around  the  world  through  online  environments  may 
give  some  insight  into  the  spread  of  techniques  and 
utilities  to  develop  malware. 

This  analysis  also  indicated  that  more  repressive 
governments  created  environments  in  which  malware 
production  was  more  likely.  This  suggests  there  is  a  re¬ 
lationship  between  political  oppression  and  the  devel¬ 
opment  of  attack  tools.  It  is  unclear,  however,  if  these 
tools  were  being  created  as  a  means  to  attack  other 
nations  to  steal  information,  engage  in  espionage,  or 
engage  in  internal  attacks  as  a  means  of  liberation.  The 
negative  effect  of  religious  heterogeneity  on  malware 
production,  however,  suggests  that  malware  was  not 
designed  as  a  means  of  affecting  individuals'  religious 
views  within  their  own  country. 

The  exploratory  nature  of  this  chapter  provides 
multiple  directions  for  future  research.  Specifical- 
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ly,  there  is  a  strong  need  for  greater  qualitative  and 
quantitative  examinations  of  hacker  communities 
around  the  world.  Research  on  hacker  subcultures  in 
the  United  States,66  China,67  and  Russia68  suggest  that 
there  are  norms,  justifications,  and  beliefs  that  drive 
individual  action.  Examining  the  subcultural  norms 
of  hacker  communities  in  established  and  emerging 
nations  in  Asia,  Northern  Africa,  and  South  Ameri¬ 
ca  can  provide  insights  into  the  influence  of  the  eco¬ 
nomic,  political,  and  religious  milieu  of  a  nation  on 
hacker  activity. 

The  self-report  nature  of  the  data  used  to  develop 
the  dependent  variable,  malware  creation,  also  sug¬ 
gests  a  need  for  further  investigation  using  online 
data  sources  on  the  prevalence  and  characteristics  of 
malicious  software.  Many  cybercrime  scholars  have 
argued  for  greater  official  statistics  on  cybercrime  of¬ 
fenses  from  law  enforcement,  government  agencies, 
and  the  private  sector.69  The  presence  of  such  pub¬ 
lished  statistics  could  provide  greater  insight  into  the 
problem  of  malware,  although  there  is  little  likelihood 
that  these  entities  would  provide  such  information  to 
the  academic  research  community.  Instead,  utilizing 
data  sources  such  as  the  information  in  this  analy¬ 
sis  provides  a  necessary  and  practical  alternative  to 
closed  sources. 

Though  there  are  limitations  with  the  data  used 
in  this  chapter,  as  in  all  self-reporting  studies,  the 
work  has  demonstrated  that  reporting  efforts  can  be 
successful  in  modelling  computer  crime.  The  results 
of  this  chapter  suggest  a  more  concentrated  effort 
by  government  or  academic  institutions  in  collecting 
self-reported  malware  production  is  worth  pursuing. 
Widely  publicizing  an  Internet  site  where  white-hat 
hackers,  Internet  security  professionals,  and  layper¬ 
sons  could  log  detection  of  malware  programs  would 
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improve  the  reliability  of  the  data.  Furthermore,  such  a 
reporting  effort  could  create  a  database  in  which  high¬ 
ly  visible  cyber  attacks  reported  in  the  media  are  col¬ 
lected  and  analyzed,  similar  to  efforts  by  the  Univer¬ 
sity  of  Maryland's  National  Consortium  for  the  Study 
of  Terrorism  and  Responses  to  Terrorism  (START) 
Center.  Given  the  clandestine  nature  of  hacking,  the 
anonymity  of  reporters  would  need  to  be  emphasized 
and  assured  to  increase  participation  in  reporting. 
Some  kind  of  verification  protocol,  such  as  snip¬ 
pets  of  code  or  screenshots  of  user  interface  screens, 
should  be  implemented  to  ensure  the  accuracy  of 
information  provided. 

Combining  this  chapter  with  technical  analyses 
of  malware  would  also  allow  for  some  examination 
of  the  technical  sophistication  of  the  tools  created  by 
hackers  in  each  country.  Such  information  could  give 
additional  nuance  to  this  study  and  may  demonstrate 
relationships  between  the  macro-level  variables  in¬ 
cluded.  For  example,  if  there  is  a  correlation  between 
the  production  of  software  designed  to  steal  financial 
information  and  the  economic  or  political  climate  of 
a  nation,  this  information  may  help  to  better  under¬ 
stand  the  drivers  for  financially  motivated  cybercrime. 
Alternatively,  examining  the  programming  languages 
within  which  these  programs  are  written  could  be 
used  as  a  proxy  for  technical  sophistication  and  skill. 
If  any  relationship  can  be  identified  between  coding 
languages  and  technological,  economic,  or  political 
drivers,  such  examination  may  help  to  better  identi¬ 
fy  the  forces  that  influence  malware  creation.  In  turn, 
this  can  help  to  improve  understanding  of  malicious 
software  production  at  the  national  level. 
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CHAPTER  8 


ISP  GRADE  THREAT  MONITORING 
Abhrajit  Ghosh 
INTRODUCTION 

Today's  Internet  Service  Provider  (ISP)  has  to  deal 
with  various  types  of  threats  that  impact  not  only 
its  operations  but  also  those  of  its  customers.  These 
threats  manifest  in  the  form  of  malicious  network  traf¬ 
fic  that  may  either  overload  the  network  infrastruc¬ 
ture  (e.g.,  Distributed  Denial  of  Service  [DDoS])  or 
enable  the  execution  of  illegal  activities  (e.g.,  spam, 
identity  [ID]  theft).  ISPs  can  typically  provision  excess 
network  capacity  to  deal  with  volume-based  attacks; 
however,  their  end  customers  may  not  always  be  able 
to  do  so.  Consequently,  it  is  very  often  the  ISPs'  re¬ 
sponsibility  to  detect  and  mitigate  attacks  that  target 
their  customers.  Originators  of  malicious  activities 
that  are  relatively  stealthy  in  nature  cannot  easily  be 
monitored  from  their  targets,  because  of  the  intermit¬ 
tent  nature  of  the  activity  observed  at  each  individual 
target.  However,  an  ISP  has  access  to  substantially 
more  data  on  each  node  within  its  administrative  do¬ 
main  and  is  in  a  better  position  to  detect  originators  of 
potentially  malicious  activities,  as  well  as  to  mitigate 
the  threat  posed  by  them.  According  to  Arbor  Net¬ 
works,  the  most  significant  threat  faced  by  IP  network 
operators  today  is  host-  or  link-level  DDoS.1  A  signifi¬ 
cant  portion  of  DDoS  attacks  are  known  to  employ  IP 
Spoofing;  a  technique  that  allows  an  attacker  to  fake 
source  addresses  on  attack  traffic.  The  use  of  IP  Spoof¬ 
ing  makes  it  more  difficult  to  trace  the  attack  back  to 
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its  source  and  delays  the  start  of  mitigation.  Another 
significant  source  of  concern  is  botnet  activity.  Botnets 
are  networks  of  (typically)  illegitimately  controlled 
computers,  spread  across  the  public  Internet,  under 
the  control  of  one  or  more  so-called  bot-herders.  While 
botnets  can  be  employed  for  the  purpose  of  originat¬ 
ing  DDoS  attacks,  they  may  also  be  used  to  run  large 
spam-delivery  operations,  which  may  in  turn  be  used 
to  propagate  malicious  code  onto  unsuspecting  net¬ 
work  users'  computers.  Botnets  can  also  be  used  to  ex¬ 
plore  compromised  hosts  and  networks  for  valuable 
data  to  exfiltrate  into  the  hands  of  an  adversary. 

Many  ISPs  operate  Security  Operation  Centers 
(SOCs),  wherein  dedicated  systems  and  personnel 
monitor  and  analyze  data  feeds  to  detect  the  occur¬ 
rence  of  malicious  activities.  The  volume  of  data 
available  at  an  ISP's  SOC  can  be  challenging  for  most 
analysis  systems.  It  is  essential  that  the  data  collection 
strategy  as  well  as  the  analysis  algorithms  be  tuned  to 
such  data  volumes. 

MONITORING  FOR  THREATS 

Several  approaches  have  been  proposed  in  the 
past  for  detection  of  volume-based  network  attacks. 
Volume  analysis  approaches  make  use  of  flow  record 
export  capabilities  at  network  routers  such  as  sFlow2 
and  NetFlow3  in  conjunction  with  flow-collection  soft¬ 
ware  such  as  nfdump4  and  flow-tools.5  Analysis  algo¬ 
rithms  look  for  evidence  of  anomalous  traffic  volumes 
in  the  exported  flow  records.  The  operation  of  these 
components  appears  in  Figure  8-1.  Traffic  enters  a  net¬ 
work  via  one  of  its  edge  routers  and  may  traverse  one 
or  more  core  routers  before  exiting.  It  is  possible  to 
enable  flow  data  export  capabilities  on  either  core  or 
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edge  routers.  In  many  cases,  network  operators  mini¬ 
mize  the  processing  load  on  routers  by  mirroring  traf¬ 
fic  observed  at  the  routers  to  dedicated  flow  agents.  In 
the  latter  case,  flow  agents  act  as  flow  exporters,  thus 
offloading  some  of  the  flow  data  export  load  from  the 
routers.  Exported  flow  data  are  directed  to  one  or  more 
flow  collectors,  which  typically  save  flow  information 
into  persistent  storage  for  subsequent  analysis.  Vari¬ 
ous  flavors  of  analysis  tools  are  available;  for  example, 
nfdump  provides  tools  to  compute  statistical  data  on 
individual  flows  or  on  flow  aggregates.  Tools  such 
as  Nfsen  provide  graphical  web-based  front  ends  for 
flow  analysis  visualization.6 


Figure  8-1.  Flow  Data  Collection. 

An  alternative  approach  is  to  use  Simple  Net¬ 
work  Management  Protocol  (SNMP)-based  network 
monitoring  tools  to  observe  standard  network  moni¬ 
toring  Management  Information  Bases  (MIBs).7  For 
example,  packets-per-second  counters  within  the 
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SNMP  MIB  structure  at  a  router  can  be  used  to  detect 
volume  anomalies.  SNMP-based  detection  of  volume 
anomalies  is  inherently  coarser  grained  than  the  flow 
analysis-based  approaches.  On  the  other  hand,  SNMP 
data  analysis  is  a  lighter  weight  process  than  flow  data 
analysis.  Both  methods  cannot  by  themselves  distin¬ 
guish  between  legitimate  and  illegitimate  volume 
anomalies. 

Deep  Packet  Inspection  (DPI)-based  approaches 
provide  a  means  to  inspect  every  byte  of  every  packet 
passing  through  the  inspection  device.8  This  approach 
allows  for  the  inspection  of  the  application  payload 
the  packet  carries  and  can  help  identify  the  program 
or  service  being  used.  DPI-based  approaches  are  es¬ 
pecially  useful  for  applications  that  use  nonstandard 
ports  such  as  Skype  and  other  peer-to-peer  applica¬ 
tions.  As  such,  this  is  a  computationally  intensive  pro¬ 
cess,  especially  at  high  network  data  rates,  and  is  typi¬ 
cally  implemented  using  custom  hardware  solutions. 
The  use  of  custom  hardware  makes  DPI  approaches 
fairly  expensive  for  large-scale  deployments.  In  ad¬ 
dition,  DPI  approaches  may  not  be  very  useful  if  the 
inspected  data  payloads  are  encrypted.  An  approach 
for  using  DPI-based  solutions  is  to  compare  observed 
application  payloads  with  known  attack  signatures. 
However,  this  requires  the  maintenance  of  an  attack 
signature  repository  and  is  not  very  useful  when  con¬ 
sidered  in  the  context  of  zero-day  attacks. 

SECURITY  MONITORING  SYSTEM 

Telcordia  has  spent  several  years  researching 
various  aspects  of  network  security;  in  particular,  the 
problem  of  monitoring  large-scale  networks  for  mali¬ 
cious  activity.  The  company  has  developed  a  system 
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for  large-scale  security  monitoring  that  examines  data 
exported  by  flow  agents  for  anomalies.  An  illustration 
of  a  typical  deployment  appears  in  Figure  8-2.  The 
system  receives  NetFlow  and  sFlow  feeds  from  multi¬ 
ple  flow  agents  located  within  the  monitored  network. 
It  also  periodically  downloads  the  following  types  of 
data  from  publicly  accessible  sources: 

•  BGP  (Border  Gateway  Protocol)  routing  infor¬ 
mation  from  public  BGP  Routing  Information 
Bases  (RIBs).9 

•  BGP  Autonomous  System  (AS)  number  regis¬ 
tration  information  from  Internet  Routing  Reg¬ 
istries  (IRRs).10 

•  Blacklisted  IP  address  lists  from  Domain  Name 
System  Blacklists  (DNSBLs)11  and  legitimate 
IP  address  lists  from  Domain  Name  System 
Whitelists  (DNSWLs).12 

Flow  data  are  analyzed  in  conjunction  with  the 
above  types  of  data  sources  for  anomalies. 


Figure  8-2.  Security  Monitoring  System 
Deployment. 
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The  goal  of  the  system  is  to  detect  various  types 
of  network  traffic  anomalies  that  could  be  caused  by 
DDoS,  spamming,  IP  address  spoofing,  and  botnet 
activities.  The  system  is  designed  to  scale  to  Tier  1 
ISP  data  rates  wherein  several  gigabytes  of  flow  data 
could  be  generated  every  few  minutes. 

A  high  level  architecture  of  the  monitoring  system 
appears  in  Figure  8-3.  A  set  of  data  collectors  acquires 
flow  data  from  within  the  monitored  network  and 
publicly  accessible  data  from  the  types  of  sources  listed 
above  that  reside  outside  the  monitored  network.  Col¬ 
lected  data  are  written  into  persistent  storage,  which 
consists  of  an  SQL  database  and  a  set  of  flat  files. 


RIC:  Rout*  InhxnMtion  Codec  to* 
fC  flow  CoOectoi 
AD:  Anomaly  Detector 
ONSBl/WL  DNS  Ust/WHKe  Uit 


Figure  8-3.  Monitoring  System  Architecture. 

A  set  of  anomaly  detectors  analyzes  the  collected 
data  and  generates  alerts  when  anomalies  are  detected. 
Currently  three  types  of  anomaly  detectors  are  provid¬ 
ed:  (a)  Volume  Anomaly  Detectors;  (b)  Source  Anom¬ 
aly  Detectors;  and,  (c)  Profile  Anomaly  Detectors.  The 
Volume  Anomaly  Detector  analyzes  collected  data  for 
volume  anomalies  using  a  variety  of  approaches.  The 
Source  Anomaly  detector  incorporates  algorithms  for 
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spoofed-source  IP  address  detection  and  makes  use  of 
flow  data,  BGP  routing  data,  and  AS  number  regis¬ 
tration  data.  The  Profile  Anomaly  detector  examines 
the  flow-level  behavior  of  individual  nodes  within 
the  monitored  network  in  conjunction  with  Blacklist/ 
Whitelist  information  to  identify  potentially  malicious 
nodes.  Each  Anomaly  Detector  outputs  the  result  of  its 
analysis  into  a  structured  query  language  (SQL)  table. 

Results  of  the  outputs  of  various  anomaly  detec¬ 
tors  can  be  analyzed  in  conjunction  with  each  other 
using  the  Correlation  Engine.  The  Correlation  Engine 
attempts  to  determine  if  detected  anomalous  activities 
are  contemporaneous.  It  also  attempts  to  identify  if 
an  attack  source  generating  one  type  of  attack  is  also 
responsible  for  other  types  of  attacks.  As  such,  the  cor¬ 
relation  engine  provides  a  means  to  reduce  the  overall 
false-positive  rate  of  the  monitoring  system. 

SECURE  ANOMALY  DETECTION 

The  goal  of  the  source  anomaly  detectors  is  to 
identify  instances  of  source  IP  address  spoofing  in  ob¬ 
served  flows.  The  basic  principle  of  the  operation  of 
source  anomaly  detectors  appears  in  Figure  8-4.  Here, 
data  for  the  monitored  ISP  are  acquired  via  NetFlow/ 
sFlow  data  feeds  from  three  flow  agents.  Source  ad¬ 
dress  profiles  are  generated  for  each  flow  agent  using 
training  flow  data.  Alerts  are  raised  when  a  source 
IP  address  that  does  not  match  a  flow  agent's  profile 
is  observed  at  the  agent.  For  example,  during  train¬ 
ing,  source  IP  addresses  from  ISP_D  are  expected 
at  flow  agent  FA2,  while  source  IP  addresses  from 
ISP_A  are  expected  at  FA1.  An  alert  will  occur  if  flows 
with  source  IP  addresses  from  ISP_D  are  observed 
at  FA1,  since  this  could  be  evidence  of  a  possible 
spoofing  attack. 
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Figure  8-4.  Source  Anomaly  Detection  Overview. 

While  using  training  data,  care  must  be  taken  to 
reduce  the  possibility  of  using  spoofed  traffic  to  build 
the  source  address  profiles.  While  building  the  pro¬ 
files,  care  can  be  taken  by  considering  only  flows  for 
established  TCP  connections  and  by  ignoring  flows  to 
destinations  receiving  data  from  bogon  sources.  It  is 
also  possible  that  training  data  may  not  be  adequate  to 
cover  all  potential  sources  of  traffic.  One  can  address 
this  potential  issue  by  considering  profiles  based  on 
BGP  AS  numbers,  given  that  a  single  BGP  AS  num¬ 
ber  can  map  to  several  IP  address  prefixes,  including 
those  prefixes  not  observed  during  training. 

PROFILE  ANOMALY  DETECTION 

The  profile  anomaly  detectors  detect  any  behav¬ 
ioral  anomalies  pertaining  to  hosts  within  the  moni¬ 
tored  network.  One  profile  anomaly  detector,  that  is 
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currently  part  of  the  system,  identifies  potential  spam¬ 
mers  using  flow  data  and  spammer  blacklists.  Figure 
8-5  illustrates  the  operation  of  the  spammer  detector. 
This  detector  operates  in  a  two-step  process. 

1.  Training:  During  this  process,  training  flows 
build  a  communication  profile  for  each  suspected 
spammer  node.  Nodes  with  similar  communication 
profiles  are  grouped  into  clusters.  Subsequently,  IP 
address  blacklists  and  whitelists  identify  clusters  that 
contain  known  spammers.  The  existing  clusters  are 
then  labeled  as  spammer  clusters  or  as  non-spammer 
clusters. 

2.  Judgment:  As  in  the  training  case,  observed  flows 
build  communication  profiles  for  suspected  spammer 
nodes.  The  best  matching  cluster  is  identified  for  each 
communication  profile.  A  node  is  identified  as  a  spam¬ 
mer  if  its  profile  matches  a  spammer  cluster. 


Flow  Collector 


DNSBL/ 

DNSWL 


known 

non- spammers 


Figure  8-5.  Spammer  Detection  Overview. 
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VOLUME  ANOMALY  DETECTION 


Our  system  incorporates  an  efficient  real-time 
volume  anomaly  detector  that  gives  early  warning 
of  observed  volume  anomalies.  The  volume  anomaly 
detector  operates  by  considering  a  near-term  mov¬ 
ing  window  of  flow  records  when  computing  traffic 
volumes  to  a  destination  address.  The  operation  of 
the  real-time  volume  anomaly  detector  appears  in 
Figure  8-6.  Flow  records  from  flow  agents  are  stored 
in  memory  over  a  user-defined  time  window  (e.g.,  5 
minutes).  Traffic  volumes  are  computed  for  destina¬ 
tions  observed  within  a  given  time  window  and  are 
compared  against  operator-specified  thresholds  to 
determine  the  presence  of  anomalies.  This  approach 
eliminates  the  need  to  create  large  archives  of  flow  re¬ 
cords  for  the  purpose  of  volume-based  analysis  and 
allows  more  timely  detection  of  anomalies  in  the  ob¬ 
served  data.  The  approach  is  also  somewhat  more  ac¬ 
curate  than  the  archive-based  approach,  since  it  is  not 
constrained  by  artificial  time  boundaries  used  while 
archiving  files. 


Operator 

Threshold* 


Figure  8-6.  Volume  Anomaly  Detection  Overview. 
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ANOMALY  CORRELATION 


Our  system  incorporates  a  correlation  engine  that 
correlates  alerts  generated  by  the  different  types  of 
anomaly  detectors.  A  significant  issue  with  many 
anomaly  detection-based  approaches  is  their  poten¬ 
tially  high  false-positive  rate.  The  correlation  engine 
component  reduces  the  possibility  of  generating 
false  positives. 

Different  types  of  correlations  are  performed  by 
the  system.  These  may  be  based  on  the  source  IP  ad¬ 
dresses  of  observed  flows  or  on  their  destination  IP 
addresses.  For  example,  source  anomaly  alerts  corre¬ 
late  with  volume  anomaly  alerts  to  determine  whether 
a  volume  anomaly  targeting  a  specific  destination  is 
happening  at  the  same  time  as  source  anomalies  are 
observed.  Also,  volume  anomaly  alerts  correlate  with 
profile  anomaly  alerts  to  determine  whether  a  source 
of  elevated  traffic  volumes  has  performed  other  types 
of  malicious  activities  such  as  spamming  or  participa¬ 
tion  in  a  botnet. 

CONCLUSION 

Our  system  offers  several  advantages  to  an  operator 
who  may  be  interested  in  monitoring  the  network  for 
potentially  malicious  activity.  It  integrates  with  stan¬ 
dardized  data  sources,  such  as  NetFlow  and  sFlow.  It 
has  also  been  evaluated  in  a  Tier  1  ISP  environment 
and  has  scaled  to  the  high  data  rates  observed  therein. 
There  is  also  no  requirement  for  specialized  hardware, 
as  is  the  case  for  many  current  solutions  (for  example, 
DPI  approaches);  the  approach  is  software  based  and 
therefore  portable. 
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The  use  of  an  alert  correlation  component  is  valu¬ 
able  to  a  network  operator  who  would  be  very  inter¬ 
ested  in  lowering  false-positive  rates.  Given  the  high 
data  volumes,  even  a  relatively  small  false-positive 
rate  can  lead  to  a  significant  number  of  alerts  that 
may  confuse  a  human  operator.  This  approach  uses 
behavioral  anomalies  to  identify  potentially  malicious 
nodes  in  the  target  network  and  is  thus  in  a  position  to 
be  able  to  detect  zero-day  attacks  by  not  depending  on 
the  availability  of  attack  signatures.  Our  system  can 
potentially  be  used  by  a  network  operator  to  support 
the  delivery  of  revenue-generating  attack  detection 
services  to  interested  customers. 
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CHAPTER  9 


THE  CHALLEGES  ASSOCIATED  WITH 
ASSESSING  CYBER  ISSUES 

Stuart  H.  Starr 


INTRODUCTION 

Since  the  issuance  of  the  2010  Quadrennial  Defense 
Review  (QDR),  there  has  been  a  growing  appreciation 
of  the  challenges  associated  with  assessing  irregular 
warfare.  In  particular,  there  is  an  understanding  that 
cyber  issues  are  of  increased  importance  in  future 
irregular  wars.  This  manifests  in  adversary  exfiltra¬ 
tion  of  data  from  sensitive  but  unclassified  databases, 
cyber  attacks  on  sovereign  nations  (e.g.,  Estonia  and 
Georgia),  and  the  fear  that  critical  infrastructures  may 
be  the  target  of  a  "cyber  Pearl  Harbor."  However,  the 
assessment  community  is  having  a  difficult  time  char¬ 
acterizing  the  current  ability  to  assess  cyber  issues  and 
prioritizing  actions  to  improve  that  capability. 

The  goal  of  this  chapter  is  to  explore  the  state-of- 
the-art  in  the  ability  to  assess  cyber  issues.  To  illumi¬ 
nate  this  problem,  the  chapter  presents  a  tentative 
decomposition  of  the  problem  into  manageable  sub¬ 
sets.  Using  that  deconstruction,  it  identifies  candidate 
cyber  policy  issues  that  warrant  further  analysis  and 
identifies  and  illustrates  candidate  Measures  of  Merit 
(MoMs).  Subsequently,  the  chapter  characterizes  some 
of  the  more  promising  existing  cyber  assessment  ca¬ 
pabilities  that  the  community  is  employing,  followed 
by  an  identification  of  several  cyber  assessment  capa¬ 
bilities  that  will  be  necessary  to  support  future  cyber 
policy  assessments.  The  chapter  concludes  with  a  brief 
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identification  of  high  priority  cyber  assessment  efforts 
to  pursue. 

DECOMPOSITION  OF  THE  PROBLEM 

To  structure  the  problem,  the  holistic  cyber  frame¬ 
work  is  depicted  in  Figure  9-1.  This  framework  is  pat¬ 
terned  after  the  triangular  framework  that  the  mili¬ 
tary  operations  research  community  has  employed 
to  decompose  the  dimensions  of  traditional  warfare. 
In  that  framework,  the  base  consists  of  systems  mod¬ 
els,  upon  which  rests  more  complex,  higher  orders  of 
interactions  (e.g.,  engagements,  tactical  operations, 
campaigns).  Historically,  the  outputs  from  the  lower 
levels  provide  the  feedback  to  the  higher  levels  of 
the  triangle. 


Figure  9-1.  Decomposition  of  the  Problem. 

By  analogy,  the  bottom  of  the  pyramid  consists  of 
"cyberspace,"  the  components,  systems,  and  systems- 
of-systems  that  comprise  the  cyber  infrastructure.1  The 
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output  from  this  cyber  infrastructure  enhances  "cyber 
power,"  the  traditional  instruments  of  power:  politi¬ 
cal/  diplomatic,  informational  military,  and  economic 
(P/ DIME). 2  These  instruments  of  power,  in  turn,  pro¬ 
vide  the  basis  for  "cyber  strategy,"  the  empowerment 
of  the  entities  at  the  top  of  the  pyramid.3  These  entities 
include,  inter  alia ,  individuals,  terrorists,  transnational 
criminals,  corporations,  nation-states,  and  interna¬ 
tional  organizations.  Note  that  while  nation-states 
have  access  to  all  of  these  instruments  of  power,  the 
other  entities  generally  have  access  to  only  a  subset  of 
them.  In  addition,  initiatives,  such  as  deterrence  and 
treaties,  may  provide  the  basis  for  limiting  the  em¬ 
powerment  of  key  entities. 

The  pyramid  suggests  that  each  of  these  lev¬ 
els  is  affected  by  institutional  factors.  These  include 
governance,  legal  considerations,  regulation,  criti¬ 
cal  infrastructure  protection,  and  consideration  of 
civil  liberties. 

KEY  CYBER  POLICY  ISSUES 

Senior  decisionmakers  have  identified  several  key 
policy  issues  that  require  further  attention  (see  Table 
9.1).  Note  that  this  list  is  representative  rather  than 
comprehensive.  In  Table  9.1,  these  issues  have  been 
aggregated  into  the  categories  of  cyberspace,  cyber 
power,  cyber  strategy,  and  institutional  factors.  Note 
that  most  of  these  issues  are  extremely  broad  and  con¬ 
tentious.  Consequently,  new  methods,  tools,  data,  and 
intellectual  capital  must  address  them  adequately.  In 
particular,  there  is  a  need  to  cast  these  issues  in  the 
proper  context  so  that  one  can  deal  with  all  of  the 
factors  of  interest. 
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Category 

Key  Issues 

Cyberspace 

What  steps  should  be  taken  to  enhance  the  security 
of  cyberspace? 

What  resources  are  needed  to  make  cyberspace  resis¬ 
tant  to  adversary  attacks? 

Cyber  Power 

What  risks  does  the  military  face  in  implementing 
Net-Centric  Operations? 

Flow  vulnerable  is  the  network  to  computer  network 
attack? 

Flow  should  Web  2.0  technologies  be  exploited  to 
enchance  Influence  Operations? 

Cyber  Strategy 

What  norms  should  be  used  among  civilized  nations? 

What  steps  should  be  taken  to  enhance  cyber  deter¬ 
rence? 

Institutional  Factors 

When  does  a  cyber  attack  rise  to  the  level  of  an  act  of 

war? 

What  cascading  effects  are  faced  in  attacks  against 
critical  infrastructures? 

What  steps  should  be  organized  to  mitigate  cyber 
risks? 

Table  9-1.  Selected  Cyber  Policy  Issues. 
MEASURES  OF  MERIT  FOR  CYBER  ISSUES 

Table  9-2  suggests  a  potential  decomposition  of  the 
MoMs  associated  with  the  cyber  problem.  It  identifies 
four  linked  sets  of  measures:  Measures  of  Performance 
(MoPs),  Measures  of  Functional  Performance  (MoF- 
Ps),  Measures  of  Effectiveness  (MoEs),  and  Measures 
of  Entity  Empowerment  (MoEEs).  Since  this  field  of 
endeavor  is  still  in  its  infancy,  the  material  is  meant  to 
be  illustrative  and  not  exhaustive. 
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Measures 

Representative  Measures 

Cyber  Strategy — 

Entity  Empowerment 

•  Political  reforms  (e.g.,  participation  in  democratic 
elections) 

•  Military  efforts  to  enhance  security  (e.g.,  reduction  in 
number,  severity  of  insurgent,  terrorist  attacks) 

•  Economical  reforms  (e.g.,  reconstruction  projects 
completed) 

•  Social  reforms  (e.g.,  reconciliation  of  warring 
parties) 

•  Information  (e.g.,  gaining  trust  of  host  nation 
population) 

•  Infrastructure  (e.g.,  improvement  in  delivery  of 
electric  power,  clean  water) 

Effectiveness 
(against  targeted  groups) 

•  Informational 

•  Media:  Number  of  positive/negative  stories 
published/aired 

•  Clerics:  Tone  of  mosque  sermons 

•  Military:  Loss  Exchange  Ratios 

Functional 

Performance 

•  Informational 

•  Time  to  create,  validate,  and  disseminate  influence 
messages 

•  Number  of  meetings  held  with  surrogate  groups 

Performance 

•  System  performance  (e.g.,  latency,  bandwidth, 
reliability) 

•  Resistance  to  adversary  attack  (e.g.,  ability  to 
withstand  a  Denial  of  Service  attack) 

Table  9-2.  Representative  Measures  of  Merit. 

MoPs  are  needed  to  characterize  the  key  computer 
science  and  electrical  engineering  dimensions  of  the 
problem.  A  key  measure  is  the  amount  of  bandwidth 
that  is  available  to  representative  users  of  cyberspace. 
As  the  bandwidth  increases  to  the  megahertz/ sec 
range,  the  user  is  able  to  access  advanced  features 
such  as  imagery  and  video  products.  A  second  key 
measure  is  connectivity.  For  circumstances  in  which 
the  cyber  infrastructure  is  fixed,  a  useful  measure  is 
the  percent  of  people  in  a  country  who  have  access  to 
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the  Internet.  However,  in  many  military  operations, 
the  cyber  infrastructure  and  the  users  are  mobile.  Un¬ 
der  these  circumstances,  a  more  useful  measure  is  the 
performance  of  Mobile,  Ad  hoc  NETwork  (MANET) 
users  (e.g.,  their  ability  to  stay  connected).  Third,  one 
can  introduce  measures  of  the  "noise"  that  character¬ 
izes  the  cyber  infrastructure.  For  example,  the  extent 
to  which  the  quality  of  the  Internet  is  degraded  can 
be  characterized  by  the  unwanted  email  that  it  car¬ 
ries  ("spam"),  which  can  subsume  a  substantial  sub¬ 
set  of  the  network's  capacity.  As  an  example,  it  has 
been  estimated  that  in  recent  months,  approximately 
90  percent  of  the  traffic  on  the  Internet  is  spam.4  In 
addition,  the  integrity  of  the  information  is  further 
compromised  by  "phishing"  exploits  in  which  crimi¬ 
nal  elements  seek  to  employ  the  Internet  to  perpetrate 
economic  scams.  Finally,  MoPs  can  be  introduced  to 
characterize  resistance  to  adversary  actions,  including 
distributed  denial  of  service  (DDoS)  attacks,  propaga¬ 
tion  of  viruses  or  worms,  and  illicitly  intruding  into 
a  system. 

It  is  useful  to  introduce  MoFPs  that  characterize 
how  successfully  selected  entities  are  able  to  perform 
key  functions,  taking  advantage  of  cyberspace.  In  the 
case  of  the  U.S.  military,  the  concept  of  net-centricity 
is  to  employ  advances  in  cyberspace  to  perform  es¬ 
sential  functions  (e.g.,  use  digital  links  to  disseminate 
a  holistic  view  of  the  situation  to  individual  weapon 
systems).  Similarly,  a  basic  tenet  of  net-centricity  is  to 
propagate  the  commander's  intent  so  that  the  partici¬ 
pants  in  the  operation  can  synchronize  their  actions. 

MoEs  must  characterize  how  effective  entities  can 
be  in  their  key  missions,  taking  advantage  of  cyber¬ 
space.  In  the  context  of  major  combat  operations,  MoEs 
need  to  characterize  the  ability  to  exploit  cyberspace 
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in  multiple  dimensions.  At  one  extreme,  enhance¬ 
ments  in  cyberspace  have  the  potential  to  reduce  the 
time  to  conduct  a  campaign  and  the  casualties  asso¬ 
ciated  with  the  campaign.  At  the  other  extreme,  en¬ 
hancements  in  cyberspace  may  substantially  enhance 
blue-loss  exchange  ratios  and  the  amount  of  ground 
gained  and  controlled. 

From  the  perspective  of  cyber  strategy,  there  is  in¬ 
terest  in  characterizing  the  extent  to  which  enhance¬ 
ments  in  cyberspace  can  empower  key  entities.  In  the 
case  of  nation-states,  potential  MoEEs  might  include 
selected  political,  military,  economic,  social,  informa¬ 
tional,  and  infrastructure  (PMESII)  variables.  As  an 
example,  it  might  address  the  ability  to  leverage  cy¬ 
berspace  to  influence  a  population  (e.g.,  "win  hearts 
and  minds");  shape  a  nation  at  strategic  crossroads; 
and  deter,  persuade,  and  coerce  an  adversary. 

EXISTING  CYBER  ASSESSMENT  CAPABILITIES 

Currently,  there  are  many  methods,  tools,  and  data 
that  are  being  developed  to  address  cyber  issues.  This 
section  presents  a  subset  of  those  capabilities  in  the 
areas  of  cyberspace,  cyber  power,  cyber  strategy,  and 
institutional  factors. 

Cyberspace. 

In  the  area  of  data,  we  currently  have  some  limited 
ability  to  collect  real-world  cyberspace  information. 
For  example,  firms  such  as  Gartner,  Juniper,  Syman¬ 
tec,  and  IBM  extrapolate  from  samples  to  estimate  the 
amount  of  "noise"  (e.g.,  spam)  that  is  infecting  the 
real  world.  In  addition,  they  provide  some  limited 
data  characterizing  the  effectiveness  of  malware  (e.g., 
DDoS  attacks,  worms,  and  viruses). 
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There  are  some  limited  mathematical  theories  that 
enable  analysts  to  evaluate  the  performance  of  net¬ 
works.  As  an  illustration,  techniques  such  as  percola¬ 
tion  theory  enable  one  to  evaluate  the  robustness  of 
a  network.5 

There  are  also  a  variety  of  emerging  tools  that  en¬ 
able  analysts  to  assess  key  issues  in  cyberspace.  As  a 
foundation  for  those  tools,  operations  analysts  have 
historically  developed  a  deep  understanding  of  the 
nature  of  the  problem  by  analyzing  real  operations.  In 
the  case  of  cyber  attacks,  a  representative  set  of  real  op¬ 
erations  includes  the  following:  Domain  Name  Server 
(DNS)-based  "ph  arming  attacks"  to  compromise  the 
DNS  server  (e.g.,  redirect  the  user  to  a  spoofed  site 
or  untrusted  proxy);  email-based  "Phishing  attacks," 
in  which  the  phisher  might  send  spam  or  a  targeted 
email  with  bait;  and  deceptive  download  attacks,  in 
which  the  adversary  piggybacks  on  other  software, 
posts  software  on  a  web  site,  or  corrupts  a  trusted  site. 

Similarly,  a  great  deal  of  useful  operational  knowl¬ 
edge  can  derive  from  key  conferences.  A  representa¬ 
tive  event  is  the  yearly  DEFCON,  which  bills  itself  as 
"the  largest  underground  hacker  convention  in  the 
world."  To  suggest  its  focus,  DEFCON  has  addressed 
the  following  issues  during  2006  to  2008.  In  2006,  it 
focused  on  "owning"  an  organization  through  the 
BlackBerry  and  dramatically  increasing  the  "attack 
surface"  through  the  proliferation  of  wireless  devices 
(e.g.,  WiFi)  and  the  transition  to  IPv6.  In  2007,  the  fo¬ 
cus  was  placed  on  identity  theft.  In  2008,  the  emphasis 
included  exploiting  social  software,  social  networks, 
and  hacking  opportunities  provided  by  increasing  the 
use  of  wireless  connectivity.6 

Building  on  these  sources  of  operational  data, 
there  are  several  modeling  and  simulation  (M&S) 
tools  that  the  community  is  employing  to  address 
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computer  science  and  communications  issues.  Per¬ 
haps  the  best  known  simulation  is  OPNET,  which  is 
widely  employed  to  address  network  architectural  is¬ 
sues.7  However,  OPNET  and  similar  tools  contain  no 
description  of  potential  vulnerabilities,  such  as  adver¬ 
sary  actions,  malicious  software,  or  insider  threats.  A 
theoretical  prediction  of  the  effects  of  network  degra¬ 
dation  can  be  obtained  using  OPNET  (e.g.,  by  the  loss 
of  a  particular  router  or  host);  however,  this  is  not  a 
simulation  of  an  actual  threat. 

To  provide  a  more  controlled  environment  for 
analysis,  several  test  beds  are  emerging.  As  one  ex¬ 
ample,  the  iCollege  at  National  Defense  University 
(NDU)  has  an  Information  Assurance  (I A)  Lab.  The 
IA  Lab  offers  detailed  opportunities  for  non-experts  to 
implant  malicious  code  in  software  applications  and 
operating  systems  within  closed  nets  using  openly 
available  hacking  tools.8  Similarly,  the  Department  of 
Energy's  Pacific  Northwest  Laboratory  is  developing 
a  test  bed  to  explore  and  evaluate  alternative  cyber¬ 
deception  strategies.9  At  the  other  end  of  the  spec¬ 
trum,  the  National  Research  Laboratory  (NRL)  has 
developed  a  Global  Information  Grid  (GIG)  Test  bed 
to  explore  the  myriad  system-of-systems  issues  asso¬ 
ciated  with  linking  new  systems  and  networks.10 

Cyber  Power. 

Our  primary  assessment  tools  for  cyber  power 
deal  with  the  impact  of  changes  in  cyberspace  on  the 
military  and  informational  levers  of  national  power. 
In  the  military  domain,  interesting  tools  are  emerg¬ 
ing  in  live-virtual-constructive  (LVC)  simulations. 
For  example,  in  assessments  of  air-to-air  combat, 
insights  have  been  derived  from  the  live  AIMVAL- 
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ACEVAL  experiments,  virtual  experiments  in  the  for¬ 
mer  McDonnell  Air  Combat  Simulator  (MACS),  and 
constructive  experiments  using  tools  such  as  TAC 
BRAWLER  and  EASDSIM.  These  studies11  have  en¬ 
abled  researchers  to  determine  that  the  advantage  of 
a  digital  link  to  an  airborne  interceptor  enhances  his 
or  her  loss-exchange-ratio  by  approximately  2.5  per¬ 
cent.  However,  at  present,  it  is  not  feasible  to  generate 
comparable  "rules  of  thumb"  for  more  complex  as¬ 
pects  of  contemporary  warfare  (e.g.,  air-land  battle  in 
complex  terrain). 

More  recently,  the  Information  Operations  (IO) 
Joint  Munitions  Effectiveness  Manual  (JMEM)  is  de¬ 
veloping  frameworks  and  tools  to  address  the  various 
pillars  of  IO.  These  include  computer  network  opera¬ 
tions  (subsuming  Computer  Network  Attack  [CNA], 
computer  network  defense,  and  computer  network 
exploitation),  psychological  operations  (PSYOP), 
electronic  warfare  (EW),  operations  security,  and 
military  deception.  As  an  illustration,  JMEM  is  de¬ 
veloping  a  CNA  risk-and-effectiveness  analyzer  (C- 
REA).  This  tool  uses  the  effects  and  response  analysis 
module  (ERAM)  as  its  core  with  interfaces  tailored 
for  planners. 

In  the  area  of  live  simulation,  the  IO  range  is 
emerging,  with  its  hub  at  Cyber  Command  (CYBER- 
COM).  This  links  together  a  variety  of  existing  ranges 
(e.g.,  China  Lake  and  Huntsville)  to  evaluate  the  use 
of  CNA  or  EW  techniques.  Ultimately,  the  objective 
is  to  expand  the  IO  range  to  evaluate  all  of  the  five 
pillars  of  IO.  However,  it  is  not  clear  how  the  exist¬ 
ing  IO  range  will  evolve  to  address  these  other  pillars. 
In  addition,  DARPA  is  in  the  process  of  developing  a 
national  cyber  range. 

In  the  informational  domain,  techniques  are  emerg¬ 
ing  to  address  media  effects.  One  of  the  major  areas  of 
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interest  for  the  PSYOP  community  is  to  evaluate  the 
effects  of  media  on  culture  and  opinion.  To  illustrate 
this  interest,  there  are  several  tools  that  have  been  de¬ 
veloped  and  employed.  These  include  the  synthetic 
environments  for  analysis  and  simulation  (SEAS),  an 
agent-based  model  that  has  been  developed  by  Simu- 
lex.12  JFCOM  employed  SEAS  in  Afghanistan  to  sup¬ 
port  assessments  of  the  extent  to  which  media  broad¬ 
casts  affected  the  attitudes  of  the  target  population. 
Similarly,  Oak  Ridge  National  Laboratory  (ORNL) 
has  developed  a  tool  known  as  Cultural  and  Media 
Influences  on  Opinion  (CAMIO).13  This  tool  uses  an 
agent-based  approach  to  assess  the  opinions  of  a  group 
and  how  these  opinions  can  be  influenced  over  time. 
Representative  issues  of  interest  include  how  small 
groups  of  acquaintances  form  from  larger  populations 
and  change  over  time.  Furthermore,  the  IO  JMEM  has 
developed  effectiveness  of  psychological  influence 
(EPIC)  to  support  the  planning  of  PSYOP  groups  in 
developing  and  delivering  messages.14  However,  in 
each  of  these  examples,  there  has  not  been  a  rigorous 
verification  and  validation  (V&V)  process. 

Looking  to  the  future,  there  is  interest  in  apply¬ 
ing  massively  multiplayer  online  games  (MMOGs) 
to  informational  issues.  MMOGs  offer  a  self-orga¬ 
nizing  environment  for  strategic  communication  or 
social  networking  that  can  potentially  engage  very 
large  populations.  A  representative  MMOG  is  Sec¬ 
ond  Life.  Since  it  offers  the  possibility  of  collecting 
substantial  amounts  of  socio-behavior  data,  it  has  the 
potential  to  acquire  and  analyze  tacit  knowledge  and 
cultural  preferences. 
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Cyber  Strategy. 

To  support  cyber  strategy  assessments,  four  key 
initiatives  are  being  pursued.  These  include  exercises, 
lessons  learned  from  the  real  world,  new  assessment 
methodologies,  and  societal  models. 

Over  the  last  3  years,  the  Department  of  Homeland 
Security  (DHS)  has  conducted  three  Cyber  Storm  na¬ 
tional  cyber  exercises.  There  is  general  agreement  that 
these  exercises  have  served  to  raise  awareness  of  the 
cyber  threat  posed  to  critical  infrastructures.  Howev¬ 
er,  there  is  concern  that  no  systematic  process  exists  to 
transform  "lessons  recorded"  into  "lessons  learned." 

As  noted  above,  operations  analysts  have  been 
successful  when  they  have  effectively  derived  lessons 
learned  from  real-world  events.  In  the  area  of  cyber 
attack,  a  substantial  amount  has  been  learned  from 
the  recent  cyber  attacks  on  Estonia  and  Georgia.  In  the 
case  of  Estonia,  an  extensive  DDoS  effectively  denied 
citizens  access  to  key  Government  sites,  financial  loca¬ 
tions,  and  the  media.15  In  response,  Estonia  has  imple¬ 
mented  a  NATO  Cooperative  Cyber  Defence  Centre 
of  Excellence  (CCD  COE)  to  support  the  planning  and 
response  to  such  attacks.  More  recently,  Russia  appar¬ 
ently  employed  a  cyber  attack  as  a  precursor  to  their 
invasion  of  Georgia.  Although  details  are  sketchy, 
details  are  beginning  to  emerge  on  the  dynamics  of 
that  attack.16 

In  response  to  a  recent  tasking  by  STRATCOM,  a 
new  methodology  and  associated  tools  are  emerging 
to  address  tailored  deterrence  issues.  The  Deterrence 
Analysis  and  Planning  Support  Environment  (DAPSE) 
is  a  process  that  is  also  instantiated  in  a  web  applica¬ 
tion.  As  part  of  that  process,  they  have  developed  a 
typology  (consistent  with  various  social  science  disci- 
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plines)  to  characterize  the  information  needed  for  un¬ 
derstanding  adversaries  and  other  actors  of  interest. 
In  addition,  they  have  identified  a  preliminary  set  of 
applicable  M&S  and  developed  a  decision  deterrent 
calculus  (DDC)  matrix.  The  DDC  matrix  identifies 
perceived  feasible/ acceptable  options  by  adversaries, 
potential  U.S.  options,  and  the  impact  of  the  result  on 
other  actors  of  interest.17 

Several  organizations  are  in  the  process  of  creating 
and  refining  societal  simulations.  As  an  example,  the 
Systems  Architecture  Laboratory  at  GMU  has  devel¬ 
oped  a  multi-modeling  facility.  As  an  element  of  this 
tool  kit,  it  uses  colored  petri  nets  to  create  executable 
models  to  assess  the  effect  of  alternative  DIME  options 
on  PMESII  effects.  They  attempt  to  heuristically  deter¬ 
mine  the  course  of  action  that  maximizes  the  achieve¬ 
ment  of  desired  effects  as  a  function  of  time. 

Furthermore,  DARPA's  conflict  modeling,  plan¬ 
ning,  and  outcomes  experimentation  (COMPOEX) 
program  is  developing  decision  aids  to  support  leaders 
in  designing  and  conducting  future  coalition-orient¬ 
ed,  multiagency,  intervention  campaigns  employing 
unified  actions,  or  a  whole  of  government  approach 
to  operations.18  COMPOEX  generates  a  distribution  of 
"plausible  outcomes"  rather  than  precise  predictions. 
COMPOEX' s  components  include: 

•  Conflict  Space  Tool:  This  provides  leaders  and 
staff  with  the  ability  to  explore  and  map  sourc¬ 
es  of  instability,  relationships,  and  centers  of 
power  to  develop  their  theory  of  conflict. 

•  Campaign  Planning  Tool:  A  framework  to  de¬ 
velop,  visualize,  and  manage  a  comprehensive 
campaign  plan  in  a  complex  environment. 

•  Family  of  Models:  These  are  instantiated  for 
the  current  area  of  responsibility  (AoR),  based 
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largely  on  systems  dynamics  models.19  Addi¬ 
tional  models  are  being  developed  to  more  ac¬ 
curately  represent  the  operational  environment 
for  other  AoRs. 

•  Option  Exploration  Tool:  This  enables  a  staff  to 
explore  a  multiple  series  of  actions  in  different 
environments  to  see  the  range  of  possible  out¬ 
comes  in  all  environments. 

However,  there  are  substantial  challenges  in  perform¬ 
ing  V&V  of  these  tools  and  transitioning  them  to  op¬ 
erational  users. 

Institutional  Factors. 

In  the  area  of  institutional  factors,  primary  empha¬ 
sis  has  been  placed  on  the  development  of  legal  tools 
and  critical  infrastructure  protection  (CIP)  tools.  In 
the  legal  domain,  a  major  challenge  is  to  characterize 
rapidly  whether  a  cyber  attack  is  an  act  of  war.  Mi¬ 
chael  N.  Schmitt  of  Durham  University  has  developed 
a  framework  to  address  that  issue.20  The  framework 
systematically  considers  seven  factors  which  are:  se¬ 
verity,  immediacy,  directness,  invasiveness,  measur¬ 
ability,  presumptive  legitimacy,  and  responsibility. 
Once  one  has  assessed  each  of  those  factors,  multi¬ 
attribute  utility  theory  can  be  employed  to  weigh  each 
of  these  factors  and  come  to  a  determination. 

To  facilitate  legal  decisions,  a  dual-decision  tree 
system  has  been  recommended.21  The  first  of  these 
trees  is  a  computer-based  tree  to  assemble  key  data 
prior  to  an  actual  attack  (e.g.,  primary  and  second¬ 
ary  levels  to  characterize  international  law,  constitu¬ 
tional  law,  executive  actions  [directives],  legislative 
actions  [statutes],  or  judicial  rulings  [cases]).  This  tree 
is  complemented  by  a  human-based  tree  to  support 
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developing  a  legal  brief  in  near  real  time,  drawing  on 
four  levels  of  abstraction  (e.g.,  citation,  precis,  excerpt, 
or  full  document).22  Similarly,  the  system  enriches 
knowledge  of  legal  issues  by  conducting  legal  analy¬ 
ses  of  real-world  events  (e.g.,  the  NATO  CCD  COE 
legal  assessment  of  the  Georgian  attack).23 

In  the  area  of  CIP,  several  innovative  tools  are 
evolving.  The  iCollege,  NDU,  is  refining  a  Superviso¬ 
ry  Control  and  Data  Acquisition  (SCAD A)  Laboratory 
that  is  designed  to  explore  the  vulnerabilities  of  con¬ 
trol  systems  for  electric  power  generation  and  other 
critical  infrastructures  (e.g.,  chemical  plants  or  water 
treatment).  Alternatively,  under  the  aegis  of  DHS, 
the  National  Infrastructure  Simulation  and  Analysis 
Center  (NISAC)  is  developing  and  applying  system 
dynamics  models  to  assess  cascading  effects  among 
critical  infrastructures.  They  are  taking  advantage  of 
the  M&S  skills  resident  in  Los  Alamos  National  Labo¬ 
ratory  and  Sandia  National  Laboratory  (LANL/SNL). 
Lurthermore,  the  U.S.  Cyber  Consequences  Unit 
(US-CCU)  is  developing  and  applying  risk  assessment 
tools  to  critical  infrastructure  issues.  Lor  example, 
USCCU  developed  a  model  of  value  creation  and  de¬ 
struction  to  evaluate  the  economic  consequences  of 
cyber  attacks.  In  addition,  it  has  published  a  risk  as¬ 
sessment  check  list  for  critical  infrastructures.24 

NEEDED  CYBER  ASSESSMENT  CAPABILITIES 

This  section  briefly  summarizes  some  of  the  major 
needs  for  cyber  methods,  tools,  data,  and  services.  In 
the  area  of  cyberspace,  there  is  a  need  to  institute  a 
more  systematic  and  comprehensive  process  by  which 
data  are  collected,  organized,  and  V&V'ed.  In  addi¬ 
tion,  there  is  a  need  to  go  beyond  OPNET  to  create 
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a  large-scale,  high-fidelity  model,  which  can  real¬ 
istically  model  a  set  of  malicious  activities  against  a 
real-world  network. 

In  the  area  of  cyber  power,  there  is  the  need  to  de¬ 
velop  and  apply  risk  assessment  tools  that  enable  one 
to  estimate  the  probability  and  consequence  of  a  cyber 
attack.  The  results  can  help  one  prioritize  the  allocation 
of  resources  to  support  defense  of  these  resources.  Sec¬ 
ond,  there  is  a  need  to  develop  additional  functional 
relationships,  linking  changes  in  cyberspace  to  conse¬ 
quences  in  cyber  power.  Senior  decisionmakers  need 
access  to  "rules  of  thumb"  that  will  enable  them  to  as¬ 
sess  the  impact  of  changes  in  cyberspace  (e.g.,  band¬ 
width,  accessibility)  to  changes  in  the  instruments  of 
power  (e.g.,  the  ability  to  perform  diplomatic,  infor¬ 
mational,  military,  and  economic  activities).  At  this 
stage,  a  few  limiting  cases  exist  for  relatively  simple 
operations  (e.g.,  limited  air-to-air  combat).  A  broad 
set  of  studies  should  be  performed  that  are  analogous 
to  the  activities  that  were  performed  (more  narrowly) 
by  the  Office  of  Force  Transformation. 

In  the  area  of  cyber  strategy,  there  is  the  need  to 
extend  and  apply  recently  developed  methods.  In  the 
area  of  exercises,  it  is  important  to  go  beyond  con¬ 
sciousness  raising  to  the  development  of  a  process 
to  mitigate  identified  cyberspace  shortfalls.  In  addi¬ 
tion,  the  method  developed  by  DAPSE  may  be  useful 
when  considering  potential  options  to  deter  attacks  in 
cyberspace.  Furthermore,  a  great  deal  of  work  is  re¬ 
quired  to  develop  needed  cyber  strategy  tools.  First, 
at  the  MORS  workshop  on  deterrence,25  several  vari¬ 
ants  on  game  theory  were  identified  and  discussed  to 
explore  contemporary  variants  on  deterrence.  It  might 
be  useful  to  develop  game-theoretic  tools  for  analyz¬ 
ing  potential  cyber  attacks.  Second,  most  war  games 
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lack  the  fidelity  and  granularity  to  explore  alternative 
IO  attacks.  Activities  are  underway  to  identify  "best 
of  breed"  war  games  and  to  identify  needed  capabili¬ 
ties.26  Third,  there  is  a  need  for  tools  that  will  support 
integration  across  kinetic  and  nonkinetic  attacks.  Cur¬ 
rently  several  shortfalls  limit  the  ability  to  accomplish 
this  objective.  For  example,  in  the  nonkinetic  domain, 
the  IO  JMEM  activity  is  developing  tools  to  assess  the 
impact  of  the  individual  IO  pillars  on  mission  effec¬ 
tiveness.  However,  there  is  the  need  for  a  capstone 
tool  that  will  enable  tradeoffs  across  the  individual 
pillars.  In  addition,  there  is  no  tool  with  adequate 
scope  and  granularity  to  support  the  formulation  and 
assessment  of  courses  of  action  that  subsume  a  mix  of 
kinetic  and  nonkinetic  actions. 

Fourth,  human,  social,  and  cultural  behavior 
(HSCB)  will  have  a  major  impact  on  individuals  and 
organizations  that  are  subject  to  cyber  attack.  As  an 
example,  many  of  the  most  successful  attacks  have 
cleverly  employed  social  engineering  features.  Thus, 
there  is  a  need  for  a  HSCB  Modeling  Test  Bed  to  eval¬ 
uate  V &V  candidate  social  sciences  theories  and  tools 
to  instantiate  those  tools.  Finally,  in  the  area  of  societal 
tools,  the  system  is  currently  in  a  very  primitive  stage. 
Additional  work  is  required  to  improve  the  constitu¬ 
ent  elements  of  these  tools  (e.g.,  underlying  models  of 
economic,  political,  or  social  behavior)  and  their  inter¬ 
action.  In  particular,  there  is  a  need  for  greater  trans¬ 
parency  in  identifying  and  tracing  cause-and-effect 
relationships.  The  HSCB  Modeling  Test  Bed  might  be 
a  useful  mechanism  to  mature  these  tools  and  to  per¬ 
form  systematic  V&V  of  them. 

Many  of  the  creators  of  cyber  tools  lack  the  knowl¬ 
edge  to  apply  them  efficiently  and  effectively.  One 
of  the  issues  is  the  large  number  of  variables  associ¬ 
ated  with  those  tools.  To  begin  to  address  this  issue, 
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two  courses  of  action  are  necessary.  First,  flexible, 
adaptive,  and  responsive  (FAR)  exploratory  analyses 
should  be  performed  that  develop  response  surfaces 
that  characterize  these  tools.27  Second,  innovative 
experimental  designs  are  required  (e.g.,  exploitation 
of  the  insights  developed  by  NPS'  SEED  Center  for 
Data  Farming).28 

It  must  be  emphasized  that  virtually  none  of  the 
tools  cited  above  have  undergone  rigorous  V&V.  Even 
when  some  of  the  key  V &V  tests  are  performed,  they 
are  rarely  documented  in  a  clear,  transparent  fash¬ 
ion  that  enables  senior  decisionmakers  to  make  rea¬ 
soned  judgments  about  the  application  of  these  tools 
to  specific  issues.  The  HSCB  Modeling  Test  Bed  may 
prove  to  be  a  useful  laboratory  for  conducting  these 
V&V  activities. 

In  the  area  of  institutional  factors,  there  is  a  need 
for  improved  tools  to  support  governance,  legal  as¬ 
sessments,  and  CIP  issues.  Historically,  the  United 
States  has  played  a  major  role  in  governing  cyber¬ 
space.  However,  given  the  global  nature  of  the  Inter¬ 
net,  many  nations  have  agitated  for  a  larger  role  in 
the  governance  process.  Currently,  there  is  a  lack  of 
adequate  tools  that  would  enable  the  formulation  and 
evaluation  of  key  governance  issues.  As  noted  above, 
a  proposal  has  been  raised  to  assemble  relevant  cyber 
legal  information  into  dual-decision  trees  that  would 
enable  lawyers  to  have  easy  access  to  key  data.  An 
effort  is  needed  to  design  and  instantiate  such  tools. 
Finally,  as  noted  above,  a  number  of  institutions  have 
been  designing  and  applying  a  variety  of  tools  to  sup¬ 
port  the  assessment  of  attacks  against  critical  infra¬ 
structures  (including  cascading  effects).  At  this  stage, 
rigorous  V&V  efforts  are  required  for  those  tools  so 
that  a  senior  decisionmaker  will  be  able  to  assign  an 
appropriate  level  of  confidence  against  those  results. 


252 


CONCLUSION 


This  chapter  has  established  a  framework  for  eval¬ 
uating  cyber  issues;  identified  key  policy  issues  that 
warrant  analysis;  identified  potential  MoMs  for  cyber 
analysis;  characterized  the  state-of-the-art  in  perform¬ 
ing  cyber  analyses;  and  identified  key  areas  that  war¬ 
rant  additional  attention.  As  Figure  9-2  suggests,  the 
analysis  community's  ability  to  assess  cyber  issues  is 
uneven.  It  tends  to  be  strongest  in  assessing  cyber¬ 
space  issues  (in  which  computer  science  and  electrical 
engineering  issues  predominate)  and  weakest  in  as¬ 
sessing  cyber  strategy  and  institutional  factors. 


Figure  9-2.  Assessment  of  Existing  Cyber  Tools. 

Overall,  there  will  need  to  be  a  substantial  infusion 
of  resources  to  develop  the  methods,  tools,  data,  and 
intellectual  capital  needed  to  address  the  concerns  of 
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senior  decisionmakers.  However,  given  the  limited 
resources  that  are  available,  it  is  suggested  that  high¬ 
est  priority  be  given  to  the  following  activities.  First, 
although  there  are  interesting  individual  tools  to  sup¬ 
port  the  analyses  of  cyberspace,  there  is  a  need  for 
an  integrated  suite  of  analysis  tools.  At  the  founda¬ 
tion  of  these  tools,  actions  must  be  taken  to  enhance 
data  collection. 

Second,  the  analysis  community  requires  better 
tools  to  assess  the  impact  of  advances  in  cyberspace  on 
broader  military  and  informational  effectiveness  (e.g., 
land  combat  in  complex  terrain).  Similarly,  tools  are 
necessary  to  assess  the  risks  that  ensue  if  an  adversary 
is  able  to  compromise  net-centric  operations.  How¬ 
ever,  there  is  extensive  uncertainty  about  many  of  the 
key  parameters  that  are  introduced  in  the  IO  JMEMs 
frameworks  (e.g.,  many  of  the  parameters  that  char¬ 
acterize  the  probability  of  arrival  and  the  probability 
of  damage).  This  suggests  that  exploratory  analysis 
techniques  be  used  with  these  and  comparable  frame¬ 
works,  to  deal  with  the  massive  uncertainty  in  key 
parameters.  Furthermore,  since  human  responses  to 
cyber  actions  are  of  great  importance,  there  is  a  need 
for  a  HSCB  Modeling  Test  Bed  to  enhance  our  ability 
to  enhance  HSCB  modeling. 

Third,  there  is  a  need  to  develop  tools  that  explore 
the  impact  of  alternative  mixes  of  offensive  and  defen¬ 
sive  actions  on  deterrence  strategies.  This  is  extreme¬ 
ly  important  because  of  recent  proposals  that  have 
emerged  from  the  White  House.29  Although  emerg¬ 
ing  societal  tools  are  promising,  it  is  vital  that  they 
be  subject  to  rigorous  validation,  verification,  and  ac¬ 
creditation  (VV&A)  activities.  Finally,  there  have  been 
a  number  of  studies  of  cyber  attacks  against  nation¬ 
states  (e.g.,  Estonia  and  Georgia).  However,  there  is  a 
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need  for  a  more  rigorous  assessment  to  develop  and 
implement  lessons  learned. 

Lastly,  several  efforts  are  underway  to  assess  the 
effectiveness  and  impact  of  attacking  critical  infra¬ 
structures.  However,  if  these  tools  are  going  to  be 
valuable  to  senior  decisionmakers,  it  is  important  that 
they  be  subject  to  rigorous  VV&A  efforts. 
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APPENDIX  I 


ABBREVIATIONS  AND  ACRONYMS 


Abbreviation/ 

Acronym 

Meaning 

AoR 

Area  of  Responsibility 

CCDCOE 

Cooperative  Cyber  Defense  Centre  of  Excellence 

CAM  10 

Cultural  and  Media  Influences  on  Opinion 

CIP 

Critical  Infrastructure  Protection 

CNA 

Computer  Network  Attack 

C0MP0EX 

Conflict  Modeling,  Planning  &  Outcomes  Experimentation 

C-REA 

CNA  Risk  and  Effectiveness  Analyzer 

DAPSE 

Deterrence  Analysis  and  Planning  Support  Environment 

DARPA 

Defense  Advance  Research  Project  Agency 

DDC 

Decision  Deterrent  Calculus 

DDoS 

Distributed  Denial  of  Service 

DHS 

Department  of  Homeland  Security 

DIME 

Diplomatic,  Informational,  Military,  Economic 

DNS 

Domain  Name  Server 

EADSIM 

Extended  Air  Defense  Simulation 

EPIC 

Effectiveness  of  Psychological  Influence 

ERAM 

Effects  and  Response  Analysis  Module 

EW 

Electronic  Warfare 

FAR 

Flexible,  Adaptable,  Robust 

GMU 

George  Mason  University 

HSCB 

Human,  Social,  Cultural  Behavior 

IA 

Information  Assurance 

10 

Information  Operations 

IPv6 

Internet  Protocol  version  6 

IRMC 

Information  Resource  Management  College 

JFCOM 

Joint  Forces  Command 
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JMEM 

Joint  Munitions  Effectiveness  Manual 

LANL 

Los  Alamos  National  Laboratory 

LVC 

Live-Virtual-Constructive 

M&S 

Modeling  and  Simulation 

MACS 

McDonnell  Air  Combat  Simulator 

MANET 

Mobile,  Ad  hoc,  Network 

MMOGs 

Massively  Multiplayer  Online  Games 

MoEs 

Measures  of  Effectiveness 

MoEEs 

Measures  of  Entity  Empowerment 

MoFPs 

Measures  of  Functional  Performance 

MoMs 

Measures  of  Merit 

MoPs 

Measures  of  Performance 

MORS 

Military  Operations  Research  Society 

MTB 

Modeling  Test  Bed 

NDU 

National  Defense  University 

NISAC 

National  infrastructure  Simulation  and  Analysis  Center 

NPS 

Naval  Postgraduate  School 

NRL 

Naval  Research  Laboratory 

ORNL 

Oak  Ridge  National  Laboratory 

PMESII 

Political,  Military,  Economic,  Social,  Information,  and 
Infrastructure 

PSYOP 

Psychological  Operations 

SCADA 

Supervisory  Control  and  Data  Administration 

SEAS 

Synthetic  Environment  for  Analysis  and  Simulation 

SEED 

Simulation,  Experimentation  and  Efficient  Designs 

SNL 

Sandia  National  Laboratory 

STRATCOM 

Strategic  Command 

US-CCU 

U.S.  Cyber  Consequences  Unit 

V&V 

Verification  and  Validation 

VV&A 

Verification,  Validation,  and  Accreditation 

260 


ABOUT  THE  CONTRIBUTORS 


ADAM  BOSSLER  is  an  assistant  professor  of  justice 
studies  at  Georgia  Southern  University.  His  research 
interests  include  testing  criminological  theories  that 
have  received  little  empirical  testing,  such  as  control 
balance  theory,  examining  the  application  of  tradi¬ 
tional  criminological  theories  to  cybercrime  for  both 
the  offender  and  the  victim,  and  evaluating  policies 
and  programs  aimed  at  reducing  youth  violence.  Dr. 
Bossier  holds  a  Ph.D.  in  criminology  and  criminal  jus¬ 
tice  from  the  University  of  Missouri  -  St.  Louis. 

VINCENT  BOUDREAU  is  a  professor  of  political  sci¬ 
ence  at  the  City  College  of  New  York  and  at  the  CUNY 
Graduate  and  University  Center.  He  is  currently  the 
director  of  the  Colin  Powell  Center  for  Leadership  and 
Service  at  CCNY.  Dr.  Boudreau  is  a  specialist  in  the 
politics  of  social  movements,  particularly  in  Southeast 
Asia,  and  his  latest  book  is  Resisting  Dictatorship:  Re¬ 
pression  and  Protest  in  Southeast  Asia  (Cambridge  Uni¬ 
versity  Press).  He  also  conducts  research  and  writes 
on  repression,  government  transitions  to  democracy, 
and  collective  violence.  At  CCNY  Dr.  Boudreau  has 
served  as  director  of  the  M.A.  Program  in  Interna¬ 
tional  Relations,  chair  of  the  Department  of  Political 
Science,  director  of  the  International  Studies  Program, 
and  deputy  dean  of  the  Division  of  Social  Science.  In 
addition  to  his  academic  work,  he  has  undertaken 
projects  with  ActionAid  Asia,  Jubilee  South  Asia,  and 
The  Philippine  Rural  Reconstruction  Movement,  and 
has  consulted  for  Oxfam  Asia,  Action  of  Economic 
Reform  (Philippines),  and  Freedom  House.  Dr.  Bou¬ 
dreau  holds  a  Ph.D.  from  Cornell  University. 


261 


GEORGE  W.  BETRRETSS  is  an  assistant  professor  in  the 
Center  for  the  Study  of  Crime,  Delinquency  and  Cor¬ 
rections,  Southern  Illinois  University,  Carbondale.  He 
received  his  Ph.D.  in  criminology  and  criminal  justice 
from  the  University  of  Missouri,  St.  Louis.  He  does 
research  on  criminal  justice  organizations,  includ¬ 
ing  juvenile  courts  and  the  police.  He  has  published 
articles  in  Justice  Quarterly,  Policing,  and  Journal  of 
Criminal  Justice. 

MELISSA  DARK  is  a  professor  in  computer  technol¬ 
ogy  and  associate  dean  in  the  College  of  Technol¬ 
ogy  at  Purdue.  Ms.  Dark  specializes  in  educational 
measurement  and  evaluation;  her  measurement  and 
evaluation  expertise  has  been  applied  to  information 
security  for  the  development  of  a  hacker  aptitude  test 
for  the  Air  Force,  evaluation  models  for  software  se¬ 
curity  curriculum  exercises,  and  evaluation  theory 
and  practice  in  security  education.  She  has  led  faculty 
development  projects  in  technology  education  and 
information  security  education  aimed  at  increasing 
the  knowledge  and  skills  of  secondary  and  post-sec¬ 
ondary  educators  throughout  the  United  States,  and 
has  been  active  in  helping  define  the  information  as¬ 
surance  discipline.  In  addition  to  focusing  on  educa¬ 
tional  interventions  in  information  security,  Ms.  Dark 
works  in  information  security  policy  and  economics, 
investigating  the  impact  of  both  on  the  socio-technical 
interface  that  is  at  the  core  of  our  challenges  in  infor¬ 
mation  security. 

ABHRAJIT  GHOSH  is  a  director  at  Telcordia  Tech¬ 
nologies.  He  has  extensive  research  and  development 
experience  in  the  area  of  cyber  security,  including 
network  intrusion  detection,  policy-based  network 


262 


security  management,  network  attack  traceback,  and 
secure  communication  architectures.  He  is  currently 
leading  research  activities  at  Telcordia,  addressing  ISP 
level  network  threat  monitoring  issues. 

JOSHUA  GRUENSPECHT  is  the  cyber  security  fellow 
at  the  Center  for  Democracy  and  Technology,  where 
he  specializes  in  issues  at  the  intersection  of  law,  pri¬ 
vacy  norms,  and  technology.  He  has  also  worked  on 
cyber  security  issues  at  the  Senate  Homeland  Security 
Government  Affairs  Committee,  where  he  was  the 
lead  analyst  on  the  Comprehensive  National  Cyber  Se¬ 
curity  Initiative  and  drafted  legislation  to  protect  the 
national  information  infrastructure.  Mr.  Gruenspecht 
was  also  an  analyst  for  computer-related  crimes  at  the 
Department  of  Justice.  Previously,  he  was  an  engineer 
designing  computer  network  exploitation,  network 
security,  and  device  security  solutions,  first  within  the 
federal  government  and  then  with  BBN  Technologies. 
Mr.  Gruenspecht  earned  a  B.S.  in  computer  science 
and  English  at  Yale  University  and  a  J.D.  at  Harvard 
Law  School. 

THOMAS  HOLT  is  an  assistant  professor  in  the 
School  of  Criminal  Justice  at  Michigan  State  Univer¬ 
sity  specializing  in  computer  crime,  cybercrime,  and 
technology.  His  research  focuses  on  computer  hack¬ 
ing,  malware,  and  the  role  that  technology  and  the 
Internet  play  in  facilitating  all  manner  of  crime  and 
deviance.  Dr.  Holt  has  been  published  in  a  variety  of 
academic  journals,  including  Crime  and  Delinquency, 
Deviant  Behavior,  and  the  Journal  of  Criminal  Justice, 
and  has  presented  his  work  at  various  computer  se¬ 
curity  and  criminology  conferences.  He  is  the  project 
lead  for  the  Spartan  Devils  Honeynet  Project,  which  is 


263 


a  joint  project  of  Michigan  State  University,  Arizona 
State  University,  and  private  industry.  In  addition,  he 
is  a  member  of  the  editorial  board  of  the  International 
Journal  of  Cyber  Criminology. 

LOUIS  H.  JORDAN,  JR.,  is  the  Deputy  Director  of  the 
Strategic  Studies  Institute,  U.S.  Army  War  College, 
Carlisle  Barracks,  PA.  His  assignments  include  Flight 
Operations  Officer,  Company  Executive  Officer,  Asst 
S3  Air,  Asst  S3  and  Brigade  Adjutant  in  the  42d  Infan¬ 
try  (RAINBOW)  Division  New  York  Army  National 
Guard.  He  served  as  Battalion  S3  for  3-140  Aviation 
(CH-47D),  66th  Aviation  Brigade,  I  Corps  in  Stockton, 
California.  Colonel  Jordan  has  served  at  the  National 
Guard  Bureau  as  Deputy  Division  Chief  for  the  Avia¬ 
tion  and  Safety  Division.  After  serving  at  the  national 
level,  Colonel  Jordan  commanded  the  Aviation  Sup¬ 
port  Battalion,  Western  Army  National  Guard  Avia¬ 
tion  Training  Site  in  Marana,  Arizona.  In  2005,  he  was 
selected  to  be  the  Brigade  Commander  for  the  Western 
ARNG  Aviation  Training  Site.  In  2008,  he  was  select¬ 
ed  to  command  Joint  Task  Force  Raven,  the  aviation 
task  force  for  Operation  Jump  Start  along  the  south¬ 
west  border  in  Arizona.  Colonel  Jordan  holds  a  B.A. 
in  sociology  from  Fordham  University,  a  master's  in 
strategic  studies  from  the  U.S.  Army  War  College,  and 
certification  in  Strategic  Planning  from  the  American 
Management  Association. 

DEBORAH  WILSON  KEELING  is  currently  Chair  of 
the  Department  of  Justice  Administration,  University 
of  Louisville,  KY,  and  is  responsible  for  academic  pro¬ 
grams  as  well  as  the  Southern  Police  Institute  and  Na¬ 
tional  Crime  Prevention  Institute.  She  has  conducted 
numerous  applied  research  projects  for  local,  state, 


264 


and  federal  criminal  justice  agencies.  Dr.  Keeling  has 
organized  police  training  programs  in  the  People's  Re¬ 
public  of  China,  Hungary,  Romania,  and  the  Republic 
of  Slovakia.  She  holds  a  Ph.D.  in  sociology  from  Pur¬ 
due  University. 

MAX  KILGER  is  a  behavioral  profiler  for  the  Honeynet 
Project  and  contributes  additional  efforts  in  the  areas 
of  statistical  and  data  analysis.  He  has  written  and  co¬ 
authored  research  articles  and  book  chapters  on  the 
areas  of  influence  in  decisionmaking,  the  interaction 
of  people  with  technology,  the  motivations  of  mali¬ 
cious  online  actors,  and  understanding  the  changing 
social  structure  of  the  computer  hacking  community. 
He  was  the  lead  author  for  the  Profiling  chapter  of  the 
Honeynet  Project's  book,  Know  Your  Enemy  (2nd  Ed.), 
which  serves  as  a  reference  guide  for  information  se¬ 
curity  professionals  in  government,  military,  and  pri¬ 
vate  sector  organizations.  Dr.  Kilger  also  co-authored 
a  chapter  examining  the  vulnerabilities  and  risks  of 
a  cyber  attack  on  the  U.S.  national  electrical  grid.  He 
recently  published  a  book  chapter  on  social  dynamics 
and  the  future  of  technology-driven  crime.  His  most 
recent  publications  include  two  chapters  dealing  with 
cyber  profiling  for  Reverse  Deception:  Organized  Cy¬ 
ber  Threat  Counter-Exploitation  (McGraw-Hill).  Dr. 
Kilger  was  a  member  of  the  National  Academy  of  En¬ 
gineering's  Combating  Terrorism  Committee,  which 
was  charged  with  recommending  counterterrorism 
methodologies  to  the  Congress  and  relevant  federal 
agencies.  He  is  a  frequent  national  and  international 
speaker  to  law  enforcement,  the  intelligence  commu¬ 
nity,  and  military  commands,  as  well  as  information 
security  forums.  Dr.  Kilger  holds  a  Ph.D.  from  Stan¬ 
ford  University  in  social  psychology. 


265 


MICHAEL  LOSAVIO  teaches  in  the  Department  of 
Justice  Administration  and  the  Department  of  Com¬ 
puter  Engineering  and  Computer  Science  at  the 
University  of  Louisville  on  issues  of  law,  ethics  and 
society,  and  information  security  in  the  computer  en¬ 
gineering  and  justice  administration  disciplines.  He 
also  works  on  curriculum  development  on  the  use  and 
impact  of  information  and  computing  systems  in  a  va¬ 
riety  of  disciplines.  Mr.  Losavio  holds  a  J.D.  in  law  and 
a  B.S.  in  mathematics  from  Louisiana  State  University. 

TAREK  SAADAWI  is  a  professor  and  Director  of  the 
Center  for  Information  Networking  and  Telecommu¬ 
nications  (CINT),  City  College,  the  City  University  of 
New  York.  His  current  research  interests  are  telecom¬ 
munications  networks,  high-speed  networks,  mul¬ 
timedia  networks,  ad  hoc  mobile  wireless  networks, 
and  secure  communications.  He  has  published  ex¬ 
tensively  in  the  area  of  telecommunications  and  in¬ 
formation  networks.  Dr  Saadawi  has  been  on  the 
Consortium  Management  Committee  (CMC)  for  the 
Army  Research  Lab  Consortium  on  Telecommunica¬ 
tions  (known  as  Collaborative  Technology  Alliances 
on  Communications  and  Networks,  CTA-C&N),  from 
2001  to  2009.  Dr.  Saadawi  is  a  co-author  of  the  book, 
Fundamentals  of  Telecommunication  Networks  (John  Wi¬ 
ley  &  Sons,  Inc.,  1994),  which  has  been  translated  into 
Chinese.  He  is  guest  co-editor  of  the  Special  Issue  on 
"Mobile  Ad-Hoc  Wireless  Networks,"  Journal  of  Ad¬ 
vanced  Research,  Vol.  2,  Issue  3,  July  2011,  pp.  195-280. 
He  has  been  the  lead  author  of  the  Egypt  Telecom¬ 
munications  Infrastructure  Master  Plan,  covering  the 
fiber  network,  IP/ ATM,  DSL  and  the  wireless  local 
loop  under  a  project  funded  by  the  U.S.  Agency  for  In¬ 
ternational  Development.  He  has  joined  the  U.S.  De- 


266 


partment  of  Commerce  delegation  to  the  Government 
of  Algeria  addressing  rural  communications.  He  is  a 
former  Chairman  of  IEEE  Computer  Society  of  New 
York  City  (1986-87).  Dr.  Saawadi  holds  a  B.Sc.  and  an 
M.Sc.  from  Cairo  University,  Egypt,  and  a  Ph.D.  from 
the  University  of  Maryland,  College  Park. 

J.  EAGLE  SHUTT  is  a  former  prosecutor  and  public 
defender  and  currently  is  an  assistant  professor  at  the 
Department  of  Justice  Administration,  University  of 
Louisville,  KY.  He  also  serves  as  a  JAG  officer  in  the 
South  Carolina  National  Guard.  His  research  interests 
include  biosocial  criminology,  culture,  public  policy, 
and  law.  Dr.  Shutt  holds  a  JD,  an  MCJ,  and  a  PhD. 

STUART  STARR  is  the  president  of  the  Barcroft  Re¬ 
search  Institute  (BRI).  In  that  capacity,  he  consults  to 
government  and  industry  in  the  areas  of  command 
and  control  assessment,  modeling  and  simulation 
(M&S),  and  operations  analysis.  Prior  to  founding 
BRI,  he  was  Director  of  Plans,  MITRE;  Assistant  Vice 
President,  C2  and  Systems  Assessment,  M/A-COM 
Government  Systems;  Director,  Long  Range  Planning 
and  Systems  Evaluation,  OASD(C3I),  OSD,  where  he 
was  a  member  of  the  Senior  Executive  Service  (SES); 
and  Senior  Project  Leader,  Institute  for  Defense  Anal¬ 
yses  (IDA).  He  was  a  Fellow  at  MIT's  Seminar  XXI.  Dr. 
Starr  is  a  Fellow,  Military  Operations  Research  Soci¬ 
ety  (MORS);  Associate  Fellow,  AIAA;  Member  of  the 
Army  Science  Board;  a  Senior  Research  Fellow  at  the 
Center  for  Technology  and  National  Security  Policy 
(CTNSP),  National  Defense  University  (NDU);  and  a 
frequent  participant  in  Blue  Ribbon  Panels  of  NATO, 
the  National  Research  Council,  and  the  Director,  Net 
Assessment,  OSD.  Dr.  Starr  holds  a  Ph.D.  in  electrical 
engineering  from  the  University  of  Illinois. 


267 


U.S.  ARMY  WAR  COLLEGE 


Major  General  Anthony  A.  Cucolo  III 
Commandant 


**  *** 


STRATEGIC  STUDIES  INSTITUTE 
and 

U.S.  ARMY  WAR  COLLEGE  PRESS 
Director 

Professor  Douglas  C.  Lovelace,  Jr. 

Director  of  Research 
Dr.  Steven  K.  Metz 

Editors 

Dr.  Tarek  Saadawi 
Colonel  Louis  H.  Jordan,  Jr. 

Dr.  Vincent  Boudreau 

Editor  for  Production 
Dr.  James  G.  Pierce 

Publications  Assistant 
Ms.  Rita  A.  Rummel 


***** 


Composition 
Mrs.  Jennifer  E.  Nevil 


ISBN 


1  -58487-57  1  -2 


9  0  0  0  0> 


This  Publication  SSI  Website  USflWC  Website 


781584 


875710 


